CVE-2022-24562
published 2022-06-16CVE-2022-24562: In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.07%
98.8th percentile
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iobit | iotransfer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated HTTP requests to the IOTransfer Airserv API on TCP port 7193 with userid=* wildcard, which is the authentication bypass mechanism used in exploitation. ↗
- →Alert on HTTP POST requests to /index.php?action=setiotconfig on port 7193, which is used to manipulate the task save path as part of the path traversal/write primitive. ↗
- →Alert on HTTP POST to /index.php?action=newuploadfile on port 7193 with a binary body, indicating a file upload attempt to an arbitrary remote path. ↗
- →Monitor for DLL files written to the Google Update directory (Program Files (x86)/Google/Update/goopdate.dll) from non-Google processes, as this is the DLL hijacking target used in the RCE chain. ↗
- →Scan network for hosts listening on TCP 7193 responding to /index.php?action=getpcname to identify exposed IOTransfer Airserv instances. ↗
- →The exploit uses path traversal in the savefilename field (e.g., '../Program Files...') within the settaskdetailbyindex POST body to write files outside the intended directory; inspect JSON POST bodies to this endpoint for traversal sequences. ↗
- ·The userid=* wildcard is accepted by the Airserv API without authentication, meaning no credentials are required to interact with any API endpoint. Any network-accessible host running IOTransfer on port 7193 is exploitable without prior access. ↗
- ·The exploit sets the task save path to 'C:\Program ' (with a trailing space) via setiotconfig before creating the upload task; this path manipulation is required to enable the path traversal write to arbitrary locations. ↗
- ·The RCE chain relies on DLL hijacking via goopdate.dll in the Google Update directory; execution is triggered when the Google Update service or a Google application loads the hijacked DLL. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://iobit.comhttp://iotransfer.comhttp://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.htmlhttps://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149dhttp://iobit.comhttp://iotransfer.comhttp://packetstormsecurity.com/files/167775/IOTransfer-4.0-Remote-Code-Execution.htmlhttps://medium.com/%40tomerp_77017/exploiting-iotransfer-insecure-api-cve-2022-24562-a2c4a3f9149d
2022-06-16
Published