diff --git a/files.csv b/files.csv index 27c07355f..b1944fdf6 100755 --- a/files.csv +++ b/files.csv @@ -9467,7 +9467,7 @@ id,file,description,date,author,platform,type,port 10096,platforms/php/webapps/10096.txt,"OS Commerce 2.2r2 authentication bypass",2009-11-13,"Stuart Udall",php,webapps,0 10097,platforms/php/remote/10097.php,"PHP 5.2.11/5.3.0 - Multiple Vulnerabilities",2009-11-13,"Maksymilian Arciemowicz",php,remote,0 10098,platforms/windows/remote/10098.py,"Novell eDirectory 8.8 SP5 iConsole Buffer Overflow",2009-11-16,ryujin,windows,remote,0 -10099,platforms/windows/remote/10099.py,"HP Power Manager Administration Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80 +10099,platforms/windows/remote/10099.py,"HP Power Manager Administration - Universal Buffer Overflow Exploit",2009-11-16,ryujin,windows,remote,80 10100,platforms/windows/dos/10100.py,"FTPDMIN 0.96 (LIST) Remote Denial of Service Exploit",2007-03-20,shinnai,windows,dos,21 10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0 10102,platforms/windows/dos/10102.pl,"Safari 4.0.3 (Win32) CSS Remote Denial of Service Exploit",2009-11-16,"Jeremy Brown",windows,dos,80 @@ -29318,3 +29318,9 @@ id,file,description,date,author,platform,type,port 32553,platforms/php/webapps/32553.txt,"phpWebSite <= 0.9.3 'links.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0 32554,platforms/php/webapps/32554.txt,"SpitFire Photo Pro 'pages.php' SQL Injection Vulnerability",2008-10-31,"Beenu Arora",php,webapps,0 32555,platforms/windows/remote/32555.html,"Opera Web Browser 9.62 History Search Input Validation Vulnerability",2008-10-31,NeoCoderz,windows,remote,0 +32556,platforms/multiple/webapps/32556.txt,"Dell SonicWall EMail Security Appliance Application 7.4.5 - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,multiple,webapps,8619 +32557,platforms/hardware/webapps/32557.txt,"FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 +32558,platforms/hardware/webapps/32558.txt,"Lazybone Studios WiFi Music 1.0 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 +32559,platforms/hardware/webapps/32559.txt,"Easy FileManager 1.1 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 +32560,platforms/hardware/webapps/32560.txt,"ePhone Disk 1.0.2 iOS - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,hardware,webapps,8080 +32561,platforms/php/webapps/32561.txt,"LinEx - Password Reset Vulnerability",2014-03-27,"N B Sri Harsha",php,webapps,80 diff --git a/platforms/hardware/webapps/32557.txt b/platforms/hardware/webapps/32557.txt new file mode 100755 index 000000000..eeb208a36 --- /dev/null +++ b/platforms/hardware/webapps/32557.txt @@ -0,0 +1,163 @@ +Document Title: +=============== +FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1231 + + +Release Date: +============= +2014-03-20 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1231 + + +Common Vulnerability Scoring System: +==================================== +9.1 + + +Product & Service Introduction: +=============================== +FTP Drive + HTTP Server is the ultimate app as for usefullness and ease of use to bring with you and share all your +important files through your iPhone/iPod! When you`re in a hurry or simply wants the things done as they are supposed +to be done, you can use FTP Drive + HTTP Server. As the name implies, you can use this app mainly as an FTP Server, +so you can mount it as a Network Drive in your favorite operative system or you can browse the files through a web +browser like Firefox, Safari, Chrome, Internet Explorer, ... + +(Copy of the Homepage: https://itunes.apple.com/us/app/ftp-drive-+-http-server-easiest/id455671784 ) +(Vendor Homepage: http://www.gummybearstudios.com/ios.html ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory discovered a code execution web vulnerability in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-03-20: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Critical + + +Technical Details & Description: +================================ +A code execution web vulnerability has been discovered in the official Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application. +The remote vulnerbaility allows an attacker to compromise the application and connected device components by usage of a system specific command execution. + +The vulnerability is located in the create folder input field. The input field direct executes the input via GET method request. The request has only a simple +quotes encoding. Remote attackers are easily able to execute code by usage of a script code payload in combination with system device specific php code values. +The execution of the code occurs in the main index file dir listing service context. The attack vector is on application-side and the request method to attack +the service is GET. To bypass the path values validation it is required to first add a folder via `newDir` value. The remote attacker is able to tamper the +create new folder post method request and can intercept the values twice to attach the second manipulated path value to provoke a code execution. After the +add it is possible to attach to the already included values via create new folder to execute the code. The security risk of the remote code execution web +vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.0(+)|(-)9.1. + +Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction. +Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected component compromise. + +Vulnerable Module(s): + [+] Create New Folder + +Vulnerable Parameter(s): + [+] path value + + +Proof of Concept (PoC): +======================= +The php code execution web vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. +For security demonstration or to reproduce the vulnerability follow the provided steps and information below to continue. + +PoC: +http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[ Upload + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Music File Dir List (http://localhost:8080/) + + + +1.2 +An arbitrary file upload web vulnerability has been discovered in the official Lazybone Studios WiFi Music v1.0 iOS mobile web-application. +The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. + +The vulnerability is located in the `upload` (video and music) module. Remote attackers are able to upload a php or js web-shells by renaming +the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name +and extension `ptest.mp3.html.php.js.aspx.mp3`. After the upload the attacker needs to open the file with the path value in the web application. +He deletes the .mp3 file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file +upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.7(+)|(-)7.8. + +Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password. +Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Select File > Upload + +Vulnerable Parameter(s): + [+] filename (multiple extensions) + +Affected Module(s): + [+] Music File Dir List (http://localhost:8080/) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by local attackers without user interaction or privileged application user account. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: iChm File Management - Index + + + + + + +
NameDelete
<./[LOCAL FILE INCLUDE VULNERABILITY!]">
+ + + +Source: Vulnerable Java Script (iChm File Management - Index) + + + + +--- PoC Session Logs [POST] --- +Status: 302[Found] +POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------280732177711982 +Content-Disposition: form-data; name="newfile"; filename="<./[LOCAL FILE INCLUDE WEB VULNERABILITY!]>" +Content-Type: image/png + +Reference(s): +http://localhost:8080/[Index File Dir Listing] + + + +1.2 +The arbitrary file upload web vulnerability can be exploited by local attackers without user interaction or privileged application user account. +For security demonstration or to reproduce the file upload web vulnerability follow the provided information and steps below to continue. + +PoC: http://localhost:8080/files/[ARBITRARY FILE UPLOAD PATH]-ptest.mp3.html.php.js.aspx.mp3` + +--- PoC Session Logs [POST] --- +Status: 302[Found] +POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------141831923231387 +Content-Disposition: form-data; name="newfile"; filename="ptest.mp3.html.php.js.aspx.mp3" +Content-Type: image/jpeg + +Reference(s): +http://localhost:8080/files + + +Solution - Fix & Patch: +======================= +1.1 +The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request. +Filter and encode also the filename output listing of the index. + +1.2 +Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks. +Implement a secure own exception-handling to restrict and disallow files with multiple extensions. +Reset the executable rights for html and php codes in the little web-server settings config for /files. + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability is estimated as high(-). + +1.2 +The security risk of the arbitrary file upload web vulnerability is estimated as high(+). + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/hardware/webapps/32559.txt b/platforms/hardware/webapps/32559.txt new file mode 100755 index 000000000..7fa595cfd --- /dev/null +++ b/platforms/hardware/webapps/32559.txt @@ -0,0 +1,250 @@ +Document Title: +=============== +Easy FileManager 1.1 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1234 + + +Release Date: +============= +2014-03-25 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1234 + + +Common Vulnerability Scoring System: +==================================== +7.9 + + +Product & Service Introduction: +=============================== +This is a file management app which is very easy to use. You can manage your files under the specified directory, including copy, +cut, paste, delete, rename and create new directory. Preview the picture and play audio and video directly from the folder are supported. +This app also includes a simple FTP client. Users can use this client to connect to the remote ftp server, upload and download files from +the remote ftp server. It also includes a FTP Server and a HTTP Server. When you start the FTP Server, you can use common FTP client or +windows explorer to connect to the iphone via wifi. Also, when you start the HTTP Server, you can use internet browser to connect to the +server via wifi. It makes your iphone as a portable U disk. It’s really easyt to use this app. The function buttons are clearly. Also, +you can just long click the screen to get the action list. + +(Copy of the Homepage: https://itunes.apple.com/de/app/easy-file-manager/id487524125 ) +(Vendor Homepage: http://www.easytimestudio.com/ ) + + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple high severity vulnerabilities in the official Easytime Studio Easy File Manager v1.1 mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-03-25: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Easytime Studio +Product: Easy File Manager - iOS Mobile Web Application 1.1 + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application. +A file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands +to compromise the web-application or mobile device. + +The web vulnerability is located in the `filename` value of the `Upload File > Send Data` module. Remote attackers are able to inject own +files with malicious `filename` value in the upload POST method request to compromise the mobile web-application. The attacker is able to +tamper the file upload POST method request to manipulate via intercept the vulnerable filename value. The request method to exploit is +POST and the attack vector is on the application-side of the wifi iOS mobile application. The local file/path include execution occcurs +in the main directory dir list. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common +vulnerability scoring system) count of 7.8(+)|(-)7.9. + +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Select File > Upload + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Directory Dir List (http://localhost:8080/) + + + +1.2 +An arbitrary file upload web vulnerability has been discovered in the official Easytime Studio Easy File Manager v1.1 mobile web-application. +The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. + +The vulnerability is located in the `Upload File > Send Data` (resources & files) module. Remote attackers are able to upload a php or js web-shells +by renaming the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following +name and extension `ptest.txt.html.php.js.aspx.txt`. After the upload the attacker needs to open the file with the path value in the web application. +He deletes the .txt file extension and can access the application with elevated executable access rights. The security risk of the arbitrary file +upload web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.9(+)|(-)7.0. + +Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged application user account with password. +Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Upload File + +Vulnerable Function(s): + [+] Send Data + +Vulnerable Parameter(s): + [+] filename (multiple extensions) + +Affected Module(s): + [+] Directory Dir List (http://localhost:8080/) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank). +For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue. + +PoC: Local File Include Vulnerability +http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/[LOCAL FILE INCLUDE VULNERABILITY!] + + +--- PoC- Session Logs [POST] --- + +Status: 200[OK] +POST http://localhost:8080/private/var/mobile/Applications/7A8AF3A4-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] + +Größe des Inhalts[1807] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept + +[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/private/var/mobile/Applications/7A8AF3A4 + +-0263-4E35-9E0A-74A430C18C7A/Documents/Videos?sessionid=f7aa0a7f-98cd-4477-9e1b-dda96297044a] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------881557262072 +Content-Disposition: form-data; name="uploadfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]" +Content-Type: image/png + + +1.2 +The arbitary file uplaod web vulnerability can be exploited by remote attackers without user interaction or privileged application user account (ui passwd blank). +For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue. + +PoC: Arbitrary File Upload Vulnerability (Upload File) +http://localhost:8080/private/var/./.\[http://localhost:8080/private/var/mobile/Applications/]+File + + +--- PoC- Session Logs [POST] --- + +Status: pending[] +POST http://localhost:8080/private/var Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/private/var] + POST-Daten: + POST_DATA[-----------------------------245202094720816 +Content-Disposition: form-data; name="uploadfile"; filename="test.jpg.html.php.asp.html.jpg" +Content-Type: image/jpeg + +Note: After the upload to the private /var folder the attacker is able to attach the document path with the file to compromise the web-server. + + +Solution - Fix & Patch: +======================= +1.1 +The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload file POST method request. +Filter and encode also the filename output listing of the index. + +1.2 +Filter and restrict the file name validation on uploads to prevent arbitrary file upload attacks. +Implement a secure own exception-handling to restrict and disallow files with multiple extensions. +Reset the executable rights for html and php codes in the little web-server settings config for /files. + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability is estimated as high(+). + +1.2 +The security risk of the arbitrary file upload web vulnerability is estimated as high. + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/hardware/webapps/32560.txt b/platforms/hardware/webapps/32560.txt new file mode 100755 index 000000000..673be2b53 --- /dev/null +++ b/platforms/hardware/webapps/32560.txt @@ -0,0 +1,269 @@ +Document Title: +=============== +ePhone Disk v1.0.2 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1230 + + +Release Date: +============= +2014-03-25 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1230 + + +Common Vulnerability Scoring System: +==================================== +6.9 + + +Product & Service Introduction: +=============================== +ePhone Disk is lightweight file manager that lets you download, organize, transfer, offline read your files. +It provides the most advanced WiFi sharing features in market. + +SHARE FILES VIA WIFI +- Access iPhone like a USB drive from computer, simply use Drag and Drop to manage files +- Discover nearby devices, and discoverable by others +- Single tap to connect to nearby devices +- Accessible from any WebDav client + +( Copy of the Homepage: https://itunes.apple.com/us/app/ephone-disk-download-share/id621895613 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application. + + +Vulnerability Disclosure Timeline: +================================== +2014-03-25: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Easiermobile Inc +Product: ePhone Disk iOS - Download, Share Files via WiFi 1.0.2 + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application. +The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path +commands to compromise the web-application or mobile device. + +The web vulnerability is located in the `filename` value of the `Upload file` module. Remote attackers are able to inject own files with malicious +`filename` value in the upload POST method request to compromise the mobile web-application. The attack vector is persistent and the request +method is POST. The local file/path include execution occcurs in the main file dir list. The security risk of the local file include web vulnerability +is estimated as high(+) with a cvss (common vulnerability scoring system) count of 6.8(+)|(-)6.9. + +Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth. +Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] Upload File + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Upload File > Index File Dir List (http://localhost:8080) + + + +1.2 +A local command/path injection web vulnerabilities has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application. +A command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application. + +The vulnerability is located in the vulnerable `foldername` value of the wifi file dir list module. Local attackers are able to inject own malicious +system specific commands or path value requests in the vulnerable foldername value. The injection requires a active sync with the wifi app stored folders. +The execution of the local command inject bug via foldername value on sync occurs in the file dir index list of the main upload path. The security risk of +the local command/path inject vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3(+)|(-)6.4. + +Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction. +Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to +compromise the mobile iOS application or the connected device components. + +Request Method(s): + [+] Sync [POST] + +Vulnerable Parameter(s): + [+] foldername (path value) + +Affected Module(s): + [+] ./[iPhone]/Sub Category x - File Dir Listing + + + +1.3 +A remote denial of service web vulnerability has been discovered in the official Easiermobile Inc - ePhone Disk v1.0.2 iOS mobile web-application. +A denial of service vulnerability allows remote attackers to block, freeze or crash the affected or vulnerable mobile online-service application. + +The vulnerability is located in the vulnerable `[download]` value of the downloads module. Local attackers are able to include tags as download +path value via GET method request. The application responds with an unhandled exception and the result is a permanent online-service and +application crash. The security risk of the remote denial of service web vulnerability is estimated as low(+) with a cvss (common vulnerability +scoring system) count of 1.8(+)|(-)1.9. + +Exploitation of the denial of service web vulnerability requires no privileged iOS device account but low user interaction (allow|accept). +Successful exploitation of the DoS vulnerability results in unauthorized execution of system specific commands and unauthorized path value +requests to compromise the mobile iOS application or the connected device components. + +Request Method(s): + [+] [GET] + +Vulnerable Parameter(s): + [+] ?download + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by local attackers with low user interaction and with low privileged web-interface account. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: Upload File > Name > [Index File Dir List] + + + + + + +
NameDate ModifiedSize
Parent Directory
+ +./[LOCAL FILE INCLUDE VULNERABILITY!].png2014-03-19 14:09538 bytes +download
+ + +--- PoC Sesion Logs [POST] --- +Status: 200[OK] +POST http://localhost:8080/iPhone/Downloads?upload=1 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[text/plain] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://localhost:8080/iPhone/Downloads] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------57142047116429 +Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png" +Content-Type: image/png + + + +1.2 +The command inject web vulnerability can be exploited by local attackers with low user interaction and low privileged web-application user account. +For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. + +PoC: Foldername > Name > [Index File Dir List] + + + +
NameDate ModifiedSize
+iPhone/[LOCAL COMMAND INJECTION VULNERABILITY!]2014-03-19 14:11-- +
+ + + +1.3 +The denial of service web vulnerability can be exploited by remote attackers with low user interaction (allow|accept). +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: +http://localhost:8080/iPhone/Downloads/[FileName].*?download=[REMOTE DENIAL OF SERVICE VULNERABILITY!] + +Note: After the accept of the device owner the application permanent crashes. +A encode problem returns with an error which results in a crash via memory corruption. + + +Solution - Fix & Patch: +======================= +1.1 +The first vulnerability can be patched by a secure parse of the filename value in the upload file module POST method request. +Encode also the output file dir index list with the vulnerable filename output value to prevent injection of malicious context. + +1.2 +The first vulnerability can be patched by a secure parse of the folder name value in the app sync module POST method request. +Encode also the output file dir index list with the vulnerable folder name output value to prevent injection of malicious context. + +1.3 +Restrict the download value to integer and allocate the memory. Implement an own little exception-handling to prevent remote denial of service attacks. + + +Security Risk: +============== +1.1 +The security risk of the local file include vulnerability is estimated as critical. + +1.2 +The security risk of the local command inject vulnerability via phone foldername sync is estimated as high. + +1.3 +The security risk of the remote denial of service vulnerability is estimated as low(+). + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - LariX4 (research@evolution-sec.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- +Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business +profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some +states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation +may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases +or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and +other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), +modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright ? 2014 | Vulnerability Laboratory [Evolution Security] + + + +-- +VULNERABILITY LABORATORY RESEARCH TEAM +DOMAIN: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/multiple/webapps/32556.txt b/platforms/multiple/webapps/32556.txt new file mode 100755 index 000000000..77bf5cc02 --- /dev/null +++ b/platforms/multiple/webapps/32556.txt @@ -0,0 +1,318 @@ +Document Title: +=============== +Dell SonicWall EMail Security Appliance Application v7.4.5 - Multiple Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1191 + +Dell (SonicWall) Security Bulletin: http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf + + +Release Date: +============= +2014-03-26 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1191 + + +Common Vulnerability Scoring System: +==================================== +3.5 + + +Product & Service Introduction: +=============================== +While most businesses now have some type of anti-spam protection, many must deal with cumbersome +management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership. +SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL +Email Security solutions employ a variety of proven and patented technology designed to block spam and +other threats effectively, easily and economically. With innovative protection techniques for both +inbound and outbound email plus unique management tools, the Email Security platform delivers superior +email protection today—while standing ready to stop the new attacks of tomorrow. + +SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software +application on a third party Windows® server, or as a SonicWALL Email Security Virtual Appliance in a +VMW® environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a +traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization, +ease migration and reduce capital costs. + +(Copy of the Vendor Homepage: http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application. + + +Vulnerability Disclosure Timeline: +================================== +2014-02-07: Researcher Notification & Coordination (Benjamin Kunz Mejri) +2014-02-08: Vendor Notification (Dell Security Team) +2014-02-14: Vendor Response/Feedback (Dell Security Team) +2014-03-25: Vendor Fix/Patch (SonicWall Developer Team) +2014-03-26: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +DELL SonicWall +Product: EMail Security Appliance Application 7.4.5.1393 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities has been discovered in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application. +The vulnerability allows remote attackers or low privileged user accounts to inject own malicious script codes via POST method request to compromise the +application or user session data/information. + +The first vulnerability is located in the `filename` value of the `settings_advanced.html` file. Remote attackers and low privileged application user accounts +are able to inject own malicious script codes to the application-side of the `Advanced Settings - Patch hochladen > Patch-Datei` module. Attackers can manipulate +the file upload POST method request by tampering the session. Next to tampering the session the attacker exchange the file name with a malicious script code +as payload. In the next step the website reloads the next firmware upgrade page (wait.html) with the file details. The execute of the injected script code +via POST method request occurs at the location of the listed file name value. The security risk of the persistent validation web vulnerability is estimated +as medium with a cvss (common vulnerability scoring system) count of 3.5(-). + +The second vulnerability is located in the file name value of the settings_upload_dlicense.html file. Remote attackers and low privileged application user accounts +are able to inject own malicious script codes to the application-side of the Lizenz Verwaltung - Lizenzen Upload module. The request method is POST and the attack +vector is persistent. The execute occurs in the exception context of the license update page module. The security risk of the persistent validation web +vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0(+). + +Exploitation of both vulnerabilities requires to bypass the regular validation of the web application appliance. To bypass the filter remote attackers can inject two +payloads with a split in the middle. The validation encodes the first injected payload and the second after the split executes the code. + +Exploitation of the remote web vulnerabilities requires a privileged user account without user interaction or a remote user with medium to high user interaction. +Successful exploitation of the persistent web vulnerabilities results in session hijacking, persistent external redirects, persistent phishing and persistent +manipulation of vulnerable connected or affected modules. + +Request Method: + [+] POST + +Vulnerable Module: + [+] Advanced Settings - Patch hochladen > Patch-Datei (settings_advanced.html) + [+] Lizenz Verwaltung - Lizenzen Upload > (settings_upload_dlicense.html) + +Vulnerable Parameter(s): + [+] file name + +Affected Module(s): + [+] Firmware Update - Waiting Page (wait.html) + [+] License Update Page (exception) + +Affected Version(s): + [+] 7.4.6 + +Affected Appliance Model(s): + [+] Dell SonicWall EMail Security Appliance Web Application - All Models + + +Proof of Concept (PoC): +======================= +The two persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged email security application user account and +low user interaction or without privileged web-application user account on client-side via POST inject. For security demonstration or to reproduce the +vulnerability follow the provided information and steps below. + + +URL: Input +http://ess.localhost:8619/settings_advanced.html + +URL: Execute +http://ess.localhost:8619/wait.html + + +PoC: Firmware Update - Status Waiting Site + +
+
Die Firmware wird aktualisiert...
+
+
+ Installationsdateien werden vorbereitet. Starten Sie keine Dienste neu! +
Email Security ist immer noch mit der Verarbeitung von E-Mails beschäftigt.
+
+
Aktuelle Produktversion von Email Security 7.4.5.1393.
+
Upgrade mit >>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg.
+
+
+
Abgelaufene Zeit: 00:00:36
+
+
+
+ + + + +--- PoC Session Logs [POST] --- + +Status: 302[Moved Temporarily] +POST http://ess.localhost:8619/settings_advanced.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[text/html] + Request Header: + Host[esserver.demo.sonicwall.com] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3] + Accept-Encoding[gzip, deflate] + Referer[http://esserver.demo.sonicwall.com/settings_advanced.html] + Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------213272019431414 +Content-Disposition: form-data; name="sortFiles" + +false +-----------------------------213272019431414 +Content-Disposition: form-data; name="smtpBanner" + +><>