Security researchers have discovered two high-severity vulnerabilities in the SHAREit Android app that could allow attackers to bypass device authentication mechanism and steal files containing sensitive from a victim’s device.
With over 1.5 billion users worldwide, SHAREit is a popular file sharing application for Android, iOS, Windows and Mac that has been designed to help people share video, music, files, and apps across various devices.
With more than 500 million users, the SHAREit Android app was found vulnerable to a file transfer application’s authentication bypass flaw and an arbitrary file download vulnerability, according to a blog post RedForce researchers shared with The Hacker News.
The vulnerabilities were initially discovered over a year back in December 2017 and fixed in March 2018, but the researchers decided not to disclose their details until Monday “given the impact of the vulnerability, its big attack surface and ease of exploitation.”
“We wanted to give as many people as we can the time to update and patch their devices before disclosing such critical vulnerability,” said Abdulrahman Nour, a security engineer at RedForce.
How Does SHAREit Transfer Files?
SHAREit server hosts multiple services via different ports on a device, but the researchers analyzed two designated services including Command Channel (runs on Port 55283) and Download Channel (runs on Port 2999).
Command Channel is a regular TCP channel where app exchanges messages with other SHAREit instances running on other devices using raw socket connections, including device identification, handling file transmission requests, and checking connection health.
Download Channel is the SHAREit application’s own HTTP server implementation which is mainly used by other clients to download shared files.
According to the researchers, when you use the SHAREit Android app to send a file to the other device, a regular file transfer session starts with a regular device identification, then the ‘sender’ sends a control message to the ‘receiver,’ indicating that you have a file to share.
Once the ‘receiver’ verifies that the file is not duplicate, it goes to Download Channel and fetches the sent file using information from the previous control message.
Hackers Can Access Your Files Using SHAREit Flaws
However, researchers discovered that when a user with no valid session tries to fetch a non-existing page, instead of a regular 404 page, the SHAREit app responds with a 200 status code empty page and adds the user into recognized devices, eventually authenticating an unauthorized user.
According to the researchers, a fully functional proof-of-concept exploit for this SHAREit flaw would be as simple as curl http://shareit_sender_ip:2999/DontExist, making it the weirdest and simplest authentication bypass ever.
Researchers also found that when a download request is initiated, SHAREit client sends a GET request to the sender’s HTTP server, which looks like the following URL:
http://shareit_sender_ip:2999/download?metadatatype=photo&metadataid=1337&filetype=thumbnail&msgid=c60088c13d6
Since the SHAREit app fails to validate the ‘msgid’ parameter—a unique identifier generated for each request when the sender initiates a download—this enables a malicious client with a valid session to download any resource by directly referencing its identifier.
The flaws could be exploited by an attacker on a shared WiFi network, and unfortunately vulnerable SHAREit versions create an easily distinguished open Wi-Fi hotspot which one can use not only to intercept traffic (since it uses HTTP) between the two devices, but also to exploit the discovered vulnerabilities and have unrestricted access to vulnerable device storage.
Since exploitation simply involves sending a curl command referencing the path of the target file, one should know the exact location of the file one would like to retrieve.
To overcome this, researchers started looking for files with known paths that are already publicly available, including SHAREit History and SHAREit MediaStore Database, which may contain interesting information.
“There are other files that contain juicy information such as user’s Facebook token, Amazon Web Service user’s key, auto-fill data and cookies of websites visited using SHAREit webview and even the plaintext of user’s original hotspot (the application stores it to reset the hotspot settings to original values) and much more,” researchers said.
Using their proof-of-concept exploit dubbed DUMPit!, the researchers managed to download nearly 3000 unique files having around 2GBs in less than 8 minutes of file transfer session.
The team contacted the SHAREit Team multiple times over multiple platforms in early January 2018 but got no response until early February when the researchers warned the company to release the vulnerability details to the public after 30 days.
The SHAREit team silently patched the vulnerabilities in March 2018, without providing researchers with exact patched versions of the Android app, vulnerability CVE IDs or any comments for the public disclosure.
“Communication with SHAREit team was not a good experience at all; Not only they took too long to respond to our messages, they also were not cooperative in any means, and we did not feel that our work or efforts were appreciated at all,” researchers said.
After giving enough time to users to update their SHAREit app, researchers have now released technical details of the vulnerabilities, along with the PoC exploit, DUMBit!, which can be downloaded from the GitHub website.
The vulnerabilities affect the SHAREit for Android application <= version 4.0.38. If you haven't yet, you should update your SHAREit app from Google Play Store as soon as possible.