Published:2014/01/10  Last Updated:2014/01/10

JVN#51285738
tetra filer vulnerable to directory traversal

Overview

tetra filer provided by Yuichiro Okuyama contains a directory traversal vulnerability.

Products Affected

For Android OS version 4.0.3 and later:

  • tetra filer version 2.3.1 and earlier
  • tetra filer free version 2.3.1 and earlier
For Android OS version Prior to 4.0.3:
  • tetra filer version 1.5.1 and earlier
  • tetra filer free version 1.5.1 and earlier

Description

tetra filer provided by Yuichiro Okuyama contains an issue in processing file names, which may result in a directory traversal (CWE-22) vulnerability.

Impact

A remote, unauthenticated attacker may create an arbitrary file or overwrite an existing file in a directory that the application has privileges to access.

Solution

Apply an update
Update to the latest version according to the information provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.01.10

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Mid
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Ryohei Koike of Sakura Information Systems Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-0803
JVN iPedia JVNDB-2014-000002

Update History

2014/01/10
Information under the section "Impact" was updated.