[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability

Benjamin,

What is an androidios device account? Is that a typo? And does the default 
"mobile/alpine" user account suffice?

It isn't clear to me whether the iOS device needs to be jailbroken for this 
exploit to work. The 

--
Douglas Held
doug@xxxxxxxxxxxxxxx via dougheld@xxxxxxxxx
Note: Sent from a device that occasionally respells and replaces words

> On 17 Jul 2015, at 10:08, fulldisclosure-request@xxxxxxxxxxxx wrote:
> 
> 
> Message: 8
> Date: Fri, 17 Jul 2015 15:04:22 +0200
> From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
> To: fulldisclosure@xxxxxxxxxxxx
> Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
> Message-ID: <55A8FD56.1060202@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=utf-8
> 
> Document Title:
> ===============
> UDID+ v2.5 iOS - Mail Command Inject Vulnerability
> 
> 
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1542
> 
> 
> Release Date:
> =============
> 2015-07-06
> 
> 
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1542
> 
> 
> Common Vulnerability Scoring System:
> ====================================
> 5.7
> 
> 
> Product & Service Introduction:
> ===============================
> UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and 
> other information of your iOS device. It works on iPod touches, 
> iPhones and iPads allows you to either email the UDID to someone, or to copy 
> it. The UDID is used by developers so they can add your device 
> to their Ad Hoc distribution profiles. This allows them to create a special 
> version of their apps that can be run on your device outside of 
> the normal App Store distribution channels. Ad Hoc distribution is perfect 
> for beta testing as well as for small in-house projects with an 
> limited distribution group, of up to 100 devices.
> 
> (Copy of the Vendor Homepage: 
> https://itunes.apple.com/us/app/udid+/id385936840 )
> 
> 
> Abstract Advisory Information:
> ==============================
> The Vulnerability Laboratory Core Research Team discovered an 
> application-side command inject web vulnerability in the official UDID+ v2.5 
> iOS mobile web-application.
> 
> 
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-07-06:    Public Disclosure (Vulnerability Laboratory)
> 
> 
> Discovery Status:
> =================
> Published
> 
> 
> Affected Product(s):
> ====================
> EMonster Inc.
> Product: UDID+ - iOS Mobile Web Application 2.5
> 
> 
> Exploitation Technique:
> =======================
> Local
> 
> 
> Severity Level:
> ===============
> Medium
> 
> 
> Technical Details & Description:
> ================================
> A local command inject web vulnerability has been discovered in the official 
> UDID+ v2.5 iOS mobile web-application.
> The vulnerability allows to inject malicious script codes to the 
> application-side of the vulnerable iOS mobile app.
> 
> The vulnerability is located in the device name value of the send by mail 
> function. Local attackers are able to 
> manipulate the name value of the device to compromise the mail function of 
> the udid+ mobile app. The html encoding 
> is broken in the send by mail export function. Local attackers are able to 
> manipulate the device name id to compromise 
> the application internal validation via send by email. The attack vector of 
> the vulnerability is server-side and the 
> injection point is the device name information settings.
> 
> The security risk of the local commandpath inject vulnerability is estimated 
> as medium with a cvss (common vulnerability 
> scoring system) count of 5.7. Exploitation of the commandpath inject 
> vulnerability requires a low privilege androidios 
> device account with restricted access and no user interaction. Successful 
> exploitation of the vulnerability results in 
> unauthorized execution of system specific commands and unauthorized path 
> value requests to compromise the mobile iOS 
> application and connected device components.
> 
> Vulnerable Module(s)
>                [+] Device - Settings - Information
> 
> Vulnerable Parameter(s)
>                [+] device cell name (cid)
> 
> Affected Module(s)
>                [+] UDID+ - Mail
> 
> 
> Proof of Concept (PoC):
> =======================
> The application-side validation web vulnerability can be exploited by local 
> attackers with low privilege or restricted device user account and without 
> user interaction.
> For security demonstration or to reproduce the vulnerability follow the 
> provided information and steps below to continue.
> 
> PoC: UDID+ Send Mail
> 
> <html><head><title>UDID+</title>
> <link rel="important stylesheet" 
> href="chrome://messagebody/skin/messageBody.css">
> </head><body>
> <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1">
> <tr><td><b>Betreff: </b>UDID+</td></tr><tr><td><b>Von: </b>Benjamin Mejri 
> Kunz <vulnerabilitylab@xxxxxxxxxx></td></tr>
> <tr><td><b>Datum: </b>28.06.2015 20:49</td></tr></table><table border=0 
> cellspacing=0 cellpadding=0 width="100%" class="header-part2">
> <tr><td><b>An: </b>aki <bkm@xxxxxxxxxxxxxxxxx></td></tr></table><br>
> <html><head><meta http-equiv="content-type" content="text/html; 
> "></head><body dir="auto"><div>Here is my device information.<br><br>
> <b>UDID:</b> FFFFFFFFC63FF684821B430C91F7F41D4D8A2F3A<br>
> <b>Device Name:</b> bkm337>" src="cid:">%20<./[LOCAL FILE INCLUDE 
> VULNERABILITY VIA DEVICE CELL NAME VALUE!]
> <b>System Name:</b> iPhone OS<br />
> <b>System Version:</b> 8.3<br />
> <b>Platform:</b> iPad 3G WiFi<br />
> <b>Hardware Model:</b> P101AP<br />
> <b>Processors:</b> 2<br />
> <b>CPU Frequency:</b> 0 Hz<br />
> <b>Bus Frequency:</b> 0 Hz<br />
> <b>Physical Memory:</b> 1 GB<br />
> <b>Non-Kernel Memory:</b> 809,21 MB<br />
> <b>Model:</b> iPad<br />
> <b>Localized Model:</b> iPad<br />
> <b>Language:</b> de<br />
> <b>Locale:</b> de_DE<br />
> <b>Capacity:</b> 32 GB<br />
> <b>Formatted:</b> 27,19 GB<br />
> <b>Used:</b> 26,38 GB<br />
> <b>Free:</b> 825,48 MB<br />
> <b>Battery State:</b> Unplugged<br />
> <b>Battery Level:</b> 65 %<br />
> <b>Local IP:</b> 192.168.2.104<br />
> <b>MAC Address:</b> 02:00:00:00:00:00<br />
> <br />
> <a href="<a 
> href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=385936840";>http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware
> ?id=385936840</a>">Download</a> UDID+ for iPod touch, iPhone, iPad and iPad 
> mini.<br />
> <br />
> This email was sent using UDID+ version 2.5 by emonster k.k.<br />
> For more information please visit our website <a href='<a 
> href="http://www.emonster.com/'">http://www.emonster.com/'</a>>
> <a href="http://www.emonster.com";>www.emonster.com</a></a><br 
> /></iframe></div><div></div></body></html>
> </body>
> </html>
> 
> 
> Solution - Fix & Patch:
> =======================
> The vulnerability can be patched by a secure parse and encode of the 
> vulnerable device cell name output value.
> Restrict the input and disallow usage of special chars next to sending the 
> data by mail to the own account.
> 
> 
> Security Risk:
> ==============
> The security risk of the local command inject web vulnerability in the UDID+ 
> app is estimated as medium. (CVSS 5.7)
> 
> 
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
> (bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/