SB2019022702 - Multiple vulnerabilities in SHAREit for Android

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2019-9939)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the application grants access permissions to any client that requests a non-existing page. A remote attacker can send HTTP GET request to the application to port 2999/tcp, request a non-existing page. The application will add the attacker's device into the list of recognized devices and subsequent requests to the application will be considered as authenticated requests.

A remote attacker with ability to directly connect to the application via network is able to bypass authentication and gain unauthorized access to files on the device.

2) Directory traversal (CVE-ID: CVE-2019-9938)

The vulnerability allows a remote authenticated attacker to access arbitrary file on the device.

The vulnerability exists due to the application delivers to authenticated clients any file that was passed via "metadataid" HTTP GET parameter. A remote authenticated attacker can indicate a full path to the file on the device and download it.

Please note, the affected version of the application contains another vulnerability that allows an attacker to bypass authentication process. As a result, the remote unauthenticated attacker, who can sucessfuly exploit two vulnerabilities, can read arbitrary files from the device.

Remediation

Install update from vendor's website.

References

• https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
• https://github.com/redforcesec/DUMPit/