Multiple vulnerabilities in Rhythm File Manager

SEC Consult Vulnerability Lab Security Advisory < 20140402-0 >

=======================================================================

title: Multiple vulnerabilities

product: Rhythm Software File Manager

Rhythm Software File Manager HD

vulnerable version: File Manager 1.16.6

File Manager HD 1.11.5

fixed version: -

CVE number:

impact: critical

homepage: rhmsoft.com

found: 2013-12-01

by: Wolfgang Ettlinger

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

"Full featured file manager on Android, fresh UI design and user

friendly functions!"

 

URL: rhmsoft.com

 

"Best tablet optimized file manager on Honeycomb! High definition

(1280*800) with fresh UI design and user friendly functions! Special

optimization for tablets and certified on Honeycomb! Enjoy it!"

 

URL: rhmsoft.com

 

 

Vulnerability overview/description:

-----------------------------------

1) Local File Disclosure

When streaming from the network (e.g. when a video from an SMB share is opened

in a video player) the App opens a HTTP server on port 37564. This web server

allows anyone on the same network to retrieve arbitrary local files the App has

access to. If the App is configured to use root permissions, local files can be

read as the local superuser.

 

2) Privilege Escalation

Any local App can open directories in the File Manager. As the File Manager

does not properly escape special characters in the file path when used with

root privileges, any local App can inject arbitrary commands that are executed

as the user root.

 

This vulnerability can also be exploited with crafted directory names. An

attacker could e.g. provide an archive file. When the victim unpacks

the archive and opens the unpacked directory in the File Manager, commands

contained in the directory name are executed as the user root.

 

3) Unauthenticated Remote Command Injection

If the File Manager is configured to browse with root privileges, the file path

from vulnerability 1 (Local File Disclosure) is not being escaped properly

before being passed to the "su" command. This allows users on the same network

to execute arbitrary commands as the user root.

 

 

Proof of concept:

-----------------

No proof of concepts are provided as the vendor did not provide a patch.

 

 

Vulnerable / tested versions:

-----------------------------

These vulnerabilities were verified with the following versions:

* File Manager 1.16.6

* File Manager HD 1.11.5

 

 

Vendor contact timeline:

------------------------

2014-02-05: Contacting vendor through support@rhmsoft.com

2014-02-06: Initial vendor response

2014-02-10: Sending advisory information

2014-02-19: Sending public release schedule as the vendor did not acknowledge

the retrieval of the preliminary security advisory

2014-02-19: Vendor acknowledges the vulnerabilities and states that he will

try to fix them before the public disclosure date

2014-03-26: Asked vendor whether the vulnerabilities have been fixed/will be

fixed before public release date.

2014-03-30: Vendor states that the vulnerabilities will be fixed in

"near future".

2014-03-31: Informed vendor that the advisory will be released as planned.

2014-04-02: Public release of the advisory.

 

 

Solution:

---------

The vendor did not fix the vulnerabilities. The vendor states that the

vulnerabilities will be fixed in near future.

 

 

Workaround:

-----------

There is no workaround known other than to uninstall the App until a patch

is available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

 

EOF Wolfgang Ettlinger / @2014