Multiple vulnerabilities in SHAREit for Android



| Updated: 2019-03-22
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-9939
CVE-2019-9938
CWE-ID CWE-287
CWE-22
Exploitation vector Local network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
 SHAREit for Android
Mobile applications / Apps for mobile phones

Vendor SHAREit Technologies Co.Ltd

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

UPDATED: 22.03.2019
Assigned CVE-IDs.

1) Improper Authentication

EUVDB-ID: #VU17874

Risk: Medium

CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-9939

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the application grants access permissions to any client that requests a non-existing page. A remote attacker can send HTTP GET request to the application to port 2999/tcp, request a non-existing page. The application will add the attacker's device into the list of recognized devices and subsequent requests to the application will be considered as authenticated requests.

A remote attacker with ability to directly connect to the application via network is able to bypass authentication and gain unauthorized access to files on the device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SHAREit for Android: 3.0.18 - 4.0.38

CPE2.3 External links

https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
https://github.com/redforcesec/DUMPit/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Directory traversal

EUVDB-ID: #VU17875

Risk: Medium

CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-9938

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to access arbitrary file on the device.

The vulnerability exists due to the application delivers to authenticated clients any file that was passed via "metadataid" HTTP GET parameter. A remote authenticated attacker can indicate a full path to the file on the device and download it.

Please note, the affected version of the application contains another vulnerability that allows an attacker to bypass authentication process. As a result, the remote unauthenticated attacker, who can sucessfuly exploit two vulnerabilities, can read arbitrary files from the device.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SHAREit for Android: 3.0.18 - 4.0.38

CPE2.3 External links

https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
https://github.com/redforcesec/DUMPit/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###