Directory Traversal vulnerability in the Foxit MobilePDF app


New vulnerability discovered by our pen test team member Antonio Zekić. Simple but cool. Another proof that old school stuff is still around. The vulnerability allows unauthorized directory listing as well as reading of arbitrary files as long as the Foxit MobilePDF server can read the file on the affected iOS device.

VULNERABILITY TITLE: Directory Traversal in Foxit MobilePDF

PRODUCT: Foxit MobilePDF for iOS
VULNERABILITY TYPE: Directory Traversal
VULNERABLE VERSION: 6.0.0 and earlier
FIXED VERSION: 6.1
CVE NUMBER: CVE-2017-16814
IMPACT: MEDIUM
PRODUCT URL: https://itunes.apple.com/us/app/foxit-pdf-pdf-reader-editor/id507040546?mt=8
DISCOVERED: 2017-10-13
BY: Antonio Zekić of INFIGO IS d.o.o.

VULNERABILITY DESCRIPTION
A Directory Traversal issue was discovered in the Foxit MobilePDF app before 6.1 for iOS. This occurs by abusing the URL + escape character during a Wi-Fi transfer, which could be exploited by attackers to bypass intended restrictions on local application files.
The identified directory traversal vulnerability can be exploited by submitting the '../' directory path with URL encoding (i.e. as %2e%2e%2f). The vulnerable Foxit MobilePDF server for iOS will traverse through the submitted directory and show directory listing as well as allow reading of files (as long as the Foxit MobilePDF server can read the file on the affected iOS device).

VULNERABLE VERSIONS
Foxit MobilePDF for iOS 6.0.0 and earlier.
SOLUTION
Upgrade to the latest version available:
https://itunes.apple.com/us/app/foxit-pdf-pdf-readereditor/id507040546?mt=8
WORKAROUND
Disable the ‘File transferring’ feature.
VENDOR SECURITY BULLETIN URL:
https://www.foxitsoftware.com/support/security-bulletins.php