LocalSend Discovery Protocol Man-in-the-Middle Vulnerability Allowing File Interception

A critical Man-in-the-Middle (MitM) vulnerability has been identified in LocalSend versions through 1.16.1. This issue arises within the application's discovery protocol, which uses UDP multicast packets for device communication over local networks. The vulnerability allows an unauthenticated attacker to impersonate legitimate devices, intercepting, reading, and modifying file transfers between users. Exploitation of this flaw could lead to the theft of sensitive data or the injection of malware, such as ransomware, into shared files. The attack is difficult to detect and easy to execute, creating an immediate security risk.

Impact

Exploitation allows for reliable impersonation of any device running LocalSend on the same local network, leading to unauthorized interception and modification of files and messages exchanged between users. This Man-in-the-Middle attack compromises the confidentiality and integrity of the data transferred via LocalSend. Additionally, the vulnerability could be exploited to deliver malicious payloads, such as ransomware, spyware, or trojans, into files shared between trusted users, increasing the likelihood of those files being opened and the malware executed.

Reproduction

The vulnerability can be reproduced by an attacker on the same local network who sends a spoofed UDP discovery packet that impersonates a legitimate device. This can be done using a simple script or tool that allows for packet manipulation. Once the discovery packet is received by other LocalSend applications on the network, the attacker can intercept and modify file transfers by impersonating the targeted device.

Remediation

Users can update to LocalSend version 1.17.0, which addresses the vulnerability by fixing the path traversal issue that allowed for the Man-in-the-Middle attack. The updated version is available on the LocalSend GitHub Releases page.