SEC Consult Vulnerability Lab Security Advisory < 20140402-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Rhythm Software File Manager
                     Rhythm Software File Manager HD
 vulnerable version: File Manager 1.16.6
                     File Manager HD 1.11.5
      fixed version: -
         CVE number: -
             impact: critical
           homepage: http://rhmsoft.com/
              found: 2013-12-01
                 by: Wolfgang Ettlinger
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Full featured file manager on Android, fresh UI design and user
friendly functions!"

URL: http://rhmsoft.com/?p=78

"Best tablet optimized file manager on Honeycomb! High definition
(1280*800) with fresh UI design and user friendly functions! Special
optimization for tablets and certified on Honeycomb! Enjoy it!"

URL: http://rhmsoft.com/?p=4


Vulnerability overview/description:
-----------------------------------
1) Local File Disclosure
When streaming from the network (e.g. when a video from an SMB share is opened
in a video player) the App opens a HTTP server on port 37564. This web server
allows anyone on the same network to retrieve arbitrary local files the App has
access to. If the App is configured to use root permissions, local files can be
read as the local superuser.

2) Privilege Escalation
Any local App can open directories in the File Manager. As the File Manager
does not properly escape special characters in the file path when used with
root privileges, any local App can inject arbitrary commands that are executed
as the user root.

This vulnerability can also be exploited with crafted directory names. An
attacker could e.g. provide an archive file. When the victim unpacks
the archive and opens the unpacked directory in the File Manager, commands
contained in the directory name are executed as the user root.

3) Unauthenticated Remote Command Injection
If the File Manager is configured to browse with root privileges, the file path
from vulnerability 1 (Local File Disclosure) is not being escaped properly
before being passed to the "su" command. This allows users on the same network
to execute arbitrary commands as the user root.


Proof of concept:
-----------------
No proof of concepts are provided as the vendor did not provide a patch.


Vulnerable / tested versions:
-----------------------------
These vulnerabilities were verified with the following versions:
* File Manager 1.16.6
* File Manager HD 1.11.5


Vendor contact timeline:
------------------------
2014-02-05: Contacting vendor through support@rhmsoft.com
2014-02-06: Initial vendor response
2014-02-10: Sending advisory information
2014-02-19: Sending public release schedule as the vendor did not acknowledge
            the retrieval of the preliminary security advisory
2014-02-19: Vendor acknowledges the vulnerabilities and states that he will
            try to fix them before the public disclosure date
2014-03-26: Asked vendor whether the vulnerabilities have been fixed/will be
            fixed before public release date.
2014-03-30: Vendor states that the vulnerabilities will be fixed in
            "near future".
2014-03-31: Informed vendor that the advisory will be released as planned.
2014-04-02: Public release of the advisory.


Solution:
---------
The vendor did not fix the vulnerabilities. The vendor states that the
vulnerabilities will be fixed in near future.


Workaround:
-----------
There is no workaround known other than to uninstall the App until a patch
is available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Wolfgang Ettlinger / @2014