Critical SHAREit App Flaw Enable Unrestricted Access to Device Files
The app has been downloaded by more than 500 million users, according to its website. The two high severity bug that was fixed is-
- Bypass of Authentication Mechanisms
- Download content and arbitrary files
"The vulnerability was originally discovered in December 2017 and officially fixed in March 2018, we decided not to disclose vulnerability details before today given the impact of the vulnerability, its big attack surface and ease of exploitation,”On the blog post, Nour explains that an attacker should be on the same WiFi network to exploit the bug. First of all, the attacker needs to confirm the victim’s device is running the SHAREit server by simply checking if two designated ports are open: Port 55283 and Port 2999.
The former is a regular TCP channel where the app exchanges messages with other SHAREit instances on different devices – including device identification and file transmission requests. Port 2999 meanwhile is the app’s HTTP server implementation used by other clients to download shared files.
Hacking SHAREit Users
Where share app is opened it creates an 'Open' WiFi hotspot with an easily distinguished name (SSID) in order to share the files. Identifying such an open network is a strong indicator of the SHAREit device network.
When someone uses SHAREit to send a file, the regular file transfer session starts with the authentication of a device, then the “sender” transfers a control message to the “receiver” to indicate that it has a file to send. If “receiver” decides that it is not a duplicate file, it goes to download channel and fetches the sent file, using information from the previous control message.
However, the team discovered that when a user with no valid session tries to fetch a non-existent page – which could be as simple as [curl http://shareit_sender_ip:2999/DontExist] — a glitch in the app causes it to authenticate the user, “making this the weirdest and simplest authentication bypass we ever seen.”
Now this happens because the app fails to validate the msgid parameter – a unique identifier for each request to make sure that the downloaded request was originally initiated by the sender.
The odd behaviour occurs when an unauthenticated user tries to fetch the non-existing page, instead of a regular 404 page, the application responds with a 200 status code empty page and adds the user into recognized devices. With this attacker could be added to a victim’s trusted devices by just sending them a request trying to fetch a non-existent page.
The successful exploitation of the bug leads to compromise users sensitive data such as user’s Facebook token, Amazon Web Service user’s key, auto-fill data and cookies of websites visited using SHAREit webview and even the plaintext of user’s original hotspot (the application stores it to reset the hotspot settings to original values) and much more.
The researcher also shares POC exploit code for the bug on GitHub dubbed as DUMPit.
POC Demonstration of SHAREit Bug
For proof-of-concept researcher also share the 11-minute video demonstration of the bug.
Now as the flaw has been patched it is recommended to update their apps as soon as possible.