#VU17875 Directory traversal in SHAREit for Android - CVE-2019-9938

Cybersecurity Help s.r.o.

Published: 2019-02-27 | Updated: 2019-03-22

Vulnerability identifier: #VU17875

Vulnerability risk: Medium

CVSSv4.0: 5.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2019-9938

CWE-ID: CWE-22

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
SHAREit for Android
Mobile applications / Apps for mobile phones

Vendor: SHAREit Technologies Co.Ltd

Description

The vulnerability allows a remote authenticated attacker to access arbitrary file on the device.

The vulnerability exists due to the application delivers to authenticated clients any file that was passed via "metadataid" HTTP GET parameter. A remote authenticated attacker can indicate a full path to the file on the device and download it.

Please note, the affected version of the application contains another vulnerability that allows an attacker to bypass authentication process. As a result, the remote unauthenticated attacker, who can sucessfuly exploit two vulnerabilities, can read arbitrary files from the device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SHAREit for Android: 3.0.18 - 4.0.38

External links
https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
https://github.com/redforcesec/DUMPit/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SHAREit for Android