vuln.sg Vulnerability Research Advisory

Ice Cold Apps Multiple Products HTTP Directory Traversal Vulnerability by Tan Chew Keong Release Date: 2013-05-15    [en] [jp] Summary A vulnerability has been found within the Web Server functionality of Ice Cold Apps Servers Ultimate and HTTPS / FTPS / SFTP Server. When exploited, this vulnerability allows an anonymous attacker to download files from arbitrary locations on a user's Android device. Tested Versions Servers Ultimate Free Version 5.7.9 HTTPS / FTPS / SFTP Server Version 4.6 Details This advisory discloses a vulnerability within the Web Server functionality of Ice Cold Apps Servers Ultimate and HTTPS / FTPS / SFTP Server. When exploited, this vulnerability allows an anonymous attacker to download files from arbitrary locations on a user's Android device, including files in other subdirectories under /mnt/sdcard/ where the user may not have any intension to share. The Web Server functionality does not properly sanitise HTTP requests containing directory traversal sequences ../ that are received from a browser. This allows a malicious attacker to download files from arbitrary directories from the user's Android device. POC / Test Code The instructions below illustrates how this vulnerability can be reproduced using Servers Ultimate. The steps for reproducing the vulnerability on HTTPS / FTPS / SFTP Server are very similar, and hence, will not be repeated. Create the directory /mnt/sdcard/public on the Android device. Assume that the user only wants to share files within this directory. Create a Web Server instance in Servers Ultimate and configure the DOCUMENT ROOT to point to /mnt/sdcard/public as shown in the screenshot below. Start the configured Web Server instance on Servers Ultimate, and confirm that it is accessible using a web browser. Note that only files within /mnt/sdcard/public will be displayed. Using a tool such as netcat from nmap, send the following request to Servers Ultimate to confirm that the /etc/hosts file can be obtained via directory traversal. GET ../../../../../../etc/hosts HTTP/1.0 <enter twice> By exploiting this vulnerability, an attacker can download files from other subdirectories under /mnt/sdcard/ where the user may not have any intension to share.   Patch / Workaround Fixed in Servers Ultimate version 5.8.0 and HTTPS / FTPS / SFTP Server version 4.6.1 Vendor's advisory here. Disclosure Timeline 2013-05-10 - Vulnerability Discovered. 2013-05-12 - Vulnerability Details Sent to Vendor. 2013-05-14 - Fixed Version Released by Vendor. 2013-05-15 - Public Release.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to