lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <533BE3E0.8010305@sec-consult.com>
Date: Wed, 2 Apr 2014 13:18:08 +0300
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: [FD] SEC Consult SA-20140402-0 :: Multiple vulnerabilities in
 Rhythm File Manager

SEC Consult Vulnerability Lab Security Advisory < 20140402-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Rhythm Software File Manager
                     Rhythm Software File Manager HD
 vulnerable version: File Manager 1.16.6
                     File Manager HD 1.11.5
      fixed version: -
         CVE number: -
             impact: critical
           homepage: http://rhmsoft.com/
              found: 2013-12-01
                 by: Wolfgang Ettlinger
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Full featured file manager on Android, fresh UI design and user
friendly functions!"

URL: http://rhmsoft.com/?p=78

"Best tablet optimized file manager on Honeycomb! High definition
(1280*800) with fresh UI design and user friendly functions! Special
optimization for tablets and certified on Honeycomb! Enjoy it!"

URL: http://rhmsoft.com/?p=4


Vulnerability overview/description:
-----------------------------------
1) Local File Disclosure
When streaming from the network (e.g. when a video from an SMB share is opened
in a video player) the App opens a HTTP server on port 37564. This web server
allows anyone on the same network to retrieve arbitrary local files the App has
access to. If the App is configured to use root permissions, local files can be
read as the local superuser.

2) Privilege Escalation
Any local App can open directories in the File Manager. As the File Manager
does not properly escape special characters in the file path when used with
root privileges, any local App can inject arbitrary commands that are executed
as the user root.

This vulnerability can also be exploited with crafted directory names. An
attacker could e.g. provide an archive file. When the victim unpacks
the archive and opens the unpacked directory in the File Manager, commands
contained in the directory name are executed as the user root.

3) Unauthenticated Remote Command Injection
If the File Manager is configured to browse with root privileges, the file path
from vulnerability 1 (Local File Disclosure) is not being escaped properly
before being passed to the "su" command. This allows users on the same network
to execute arbitrary commands as the user root.


Proof of concept:
-----------------
No proof of concepts are provided as the vendor did not provide a patch.


Vulnerable / tested versions:
-----------------------------
These vulnerabilities were verified with the following versions:
* File Manager 1.16.6
* File Manager HD 1.11.5


Vendor contact timeline:
------------------------
2014-02-05: Contacting vendor through support@...soft.com
2014-02-06: Initial vendor response
2014-02-10: Sending advisory information
2014-02-19: Sending public release schedule as the vendor did not acknowledge
            the retrieval of the preliminary security advisory
2014-02-19: Vendor acknowledges the vulnerabilities and states that he will
            try to fix them before the public disclosure date
2014-03-26: Asked vendor whether the vulnerabilities have been fixed/will be
            fixed before public release date.
2014-03-30: Vendor states that the vulnerabilities will be fixed in
            "near future".
2014-03-31: Informed vendor that the advisory will be released as planned.
2014-04-02: Public release of the advisory.


Solution:
---------
The vendor did not fix the vulnerabilities. The vendor states that the
vulnerabilities will be fixed in near future.


Workaround:
-----------
There is no workaround known other than to uninstall the App until a patch
is available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@...-consult.com

EOF Wolfgang Ettlinger / @2014

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ