Two high-severity vulnerabilities have been found in SHAREit Android app that let attackers to bypass device authentication mechanism and steal personal details and information from a victim’s device.
SHAREit is a popular file sharing application for Android, iOS, Windows and Mac which is used to share video, music, files, and apps across various devices. It is used by more than 1.5 billion users worldwide and in around 500 million users, the Android app was found to be vulnerable to a file transfer application’s authentication bypass flaw and an arbitrary file download vulnerability.
Initially these vulnerabilities were discovered in December 2017 which was fixed in March 2018. However, it was not disclosed until Monday as the researchers decided to give time to as many people as possible to update and patch their devices before disclosing such critical vulnerability.
SHAREit File Transfer Process
SHAREit server hosts multiple services using different ports on a device, but the two designated services are Command Channel (runs on Port 55283) and Download Channel (runs on Port 2999).
Command Channel is a TCP channel through which the app exchanges messages with other SHAREit instances running on other devices using raw socket connections, including device identification, handling file transmission requests, and checking connection health.
Download Channel is the HTTP server implementation of the SHAREit application and is used by other clients to download shared files.
Researchers reported that when you a user uses the SHAREit Android app to send a file to the other device, a regular file transfer session starts with a regular device identification, then the ‘sender’ sends a control message to the ‘receiver,’ to indicate that you have a file to share.
After verification by the ‘receiver’ the file goes to Download Channel and collects the sent file using information from the previous control message.
How does hackers exploit SHAREit Flaws?
When a user with no valid session tries to get a non-existing page, instead of a regular 404 page, the SHAREit app responds with a 200 status code empty page and adds the user into recognized devices, and thus an unauthorized user get authenticated.
A fully functional proof-of-concept exploit for this SHAREit flaw is simple making it the strangest and simplest authentication bypass ever. Researchers also found that when a download request is initiated, SHAREit client sends a GET request to the sender’s HTTP server.
The flaws can be exploited on a shared WiFi network, and vulnerable SHAREit apps create an easily notable open Wi-Fi hotspot which can be used to intercept traffic between the two devices and exploit the discovered vulnerabilities and have unrestricted access to vulnerable device storage.
While exploiting the curl command references the path of the target file it is important to know the exact location of the file that has to be retrieved.
To overcome this, researchers searched for files with known paths which are publicly available, including SHAREit History and SHAREit MediaStore Database, that contains information.
Using their proof-of-concept exploit dubbed DUMPit!, the researchers managed to download nearly 3000 unique files having around 2GBs in less than 8 minutes of file transfer session.
The security team contacted the SHAREit Team several times but did not receive any response until early February when the researchers warned the company to release the vulnerability details to the public after 30 days.
The SHAREit team silently patched the vulnerabilities in March 2018, without providing researchers with exact patched versions of the Android app, vulnerability CVE IDs or any comments for the public disclosure.
The researchers have now released technical details of the vulnerabilities, along with the PoC exploit, DUMBit!, which can be downloaded from the GitHub website.
The vulnerabilities affect the SHAREit for Android application version 4.0.38. Those users who still use that have to update your SHAREit app from Google Play Store at the earliest.