CVE-2020-37086

Vulnerability

Analysis

Easy Transfer 1.7 for iOS, a file-sharing application that uses a local web server, contains a directory traversal vulnerability. The root cause is improper validation of user-supplied path parameters in GET and POST requests, allowing attackers to escape the intended web root directory [1][2].

Exploitation

The vulnerability can be exploited remotely without authentication or user interaction. An attacker on the same Wi-Fi network can manipulate the application path in requests, for example by appending ".." sequences, to navigate the web server's URL. This causes the server to redirect and then serve files from arbitrary directories on the iOS device's filesystem [1][2].

Impact

Successful exploitation allows an attacker to list and download sensitive system files, such as environment variables and configuration data, leading to information disclosure. Additionally, the advisory notes that malicious scripts can be injected into application parameters, potentially enabling further compromise of the mobile application [1][4].

Mitigation

As of the public disclosure occurred in April 2020, and the vulnerability affects Easy Transfer version 1.7. Users should check for updates from the vendor (Rubikon Teknoloji) on the App Store [3]. As of the publication date, no patch has been confirmed, and the application may remain vulnerable if not updated [4].