240 lines
No EOL
8.9 KiB
Text
240 lines
No EOL
8.9 KiB
Text
Title:
|
||
======
|
||
USB Sharp v1.3.4 iPad iPhone - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-02-16
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=873
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
873
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.3
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
USB Sharp Pro can turn your iPhone, ipad, ipod into a large Capacity, Portable and Wireless storage disk,
|
||
Facilitate and efficient manage of your files!
|
||
|
||
Support for editing php, js, html file.
|
||
Support the open format, such as flv,asf,rmvb,avi,mpg,mkv,wmv.
|
||
Dropbox Operate, multiple files upload & download, history,create folder
|
||
Add manual
|
||
Chrome and Firefox Supported upload multiple files
|
||
Extract files from encryption .rar
|
||
Optimization pdf reader,
|
||
Support for importing videos/photos to Photo Library
|
||
Support for exporting video from Photo Library
|
||
Search file(folder) name function added
|
||
Picture Viewer Improved
|
||
Unzip type added
|
||
Add authentication for local login
|
||
Add authentication for wifi transfer
|
||
Custom background image;
|
||
... ... ...
|
||
Full screen view files Supported
|
||
Multiple photo import Supported
|
||
Sorting by file name?create time and file type
|
||
View, copy, move, delete, rename, email, zip Compression and unzip files/folders
|
||
Encryption folder, protect your files
|
||
Extract all files from a compressed .zip file
|
||
Glide deleting function
|
||
Select all and Cancel all operate
|
||
Transferring files by wifi and iTunes file sharing
|
||
Email multiple files, folder Supported
|
||
Open email attachments
|
||
Photo import Supported
|
||
Open files in other applications
|
||
Landscape mode supported
|
||
iPad-compatible
|
||
|
||
Plain text: .txt .php .js .html
|
||
Document: .pdf .csv .rtf .rtfd .doc .docx .xls .xlsx .ppt .pptx (office 2003 or later)
|
||
Image: .png .jpg .jpeg .gif .bmp .xbm .tif .tiff
|
||
Audio: .mp3 .m4a .aac
|
||
Video: .mp4 .mov .m4v .3gp .flv .asf .rmvb .avi .mpg .mkv .wmv
|
||
Web: .htm .html .xhtml
|
||
Compressed: .zip .rar
|
||
|
||
Cost: 2,99$ - iPad or iPhone (iTunes or Appstore)
|
||
|
||
(Copy of the Homepage: https://itunes.apple.com/us/app/usb-sharp-pro/id436590784 )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-02-16: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Apple AppStore
|
||
Product: USB Sharp - Web Server Application 1.3.4
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A local file include web vulnerability via POST request method is detected in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone.
|
||
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.
|
||
|
||
The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10/) when processing to load a manipulated
|
||
filename via POST. The execution of the injected path or file request will occur when the attacker is processing to watch the file dir listing.
|
||
|
||
Exploitation of the vulnerability requires no user interaction and can be done without privileged application user account (no password standard).
|
||
Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack.
|
||
|
||
Vulnerable Application(s):
|
||
[+] USB Sharp v1.3.4 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] File Upload (Web Server) [Remote]
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] filename
|
||
|
||
Affected Module(s):
|
||
[+] Filename Dir Index Listing
|
||
|
||
|
||
|
||
1.2
|
||
A persistent input validation vulnerability is detected in the mobile USB Sharp v1.3.4 app for the apple ipad & iphone.
|
||
The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service.
|
||
|
||
The vulnerability is located in the index file dir listing module of the webserver (http://192.168.0.10:41491/) when processing to inject
|
||
via POST method manipulated new chxItem parameters. The persistent script code will be executed out of the main index file dir listing
|
||
module when the service is processing to list the new foldername as item.
|
||
|
||
Exploitation of the vulnerability requires low or medium user interaction without privileged application user account.
|
||
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web
|
||
attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation.
|
||
|
||
Vulnerable Application(s):
|
||
[+] USB Sharp v1.3.4 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] Index File Dir Listing
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] Foldername (items > chxItem)
|
||
|
||
Affected Module(s):
|
||
[+] Index Listing
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The local file include web vulnerability can be exploited by remote attackers without user interaction and without
|
||
privileged application user account. For demonstration or reproduce ...
|
||
|
||
Example:
|
||
File > Upload via POST > Tamper Session > Change Filename Value to File or Path + Extension > Open Listing > Execution
|
||
|
||
PoC: (POST)
|
||
-----------------------------1337341202721337
|
||
Content-Disposition: form-data; name="file"; filename="..%2F..%2F..%2F..%2Fcmd>home>tmp%00<'.JPG"
|
||
Content-Type: image/jpg
|
||
|
||
Note: Encode the request ago to bypass the encoding validation of the input. (%2F)
|
||
|
||
Reference(s):
|
||
http://192.168.0.10:41491/
|
||
|
||
|
||
1.2
|
||
The persistent input validation vulnerability can be exploited by remote attackers without user interaction and without
|
||
privileged application user account. For demonstration or reproduce ...
|
||
|
||
|
||
PoC: Index - Folder Dir Listing
|
||
|
||
<tbody id="filelist"><tr><td><input name="chxItem" value="[PERSISTENT INJECTED SCRIPT CODE!]"
|
||
onclick="selChkItem(this)" type="checkbox"></td><td><a href="/[PERSISTENT INJECTED SCRIPT CODE!]%3C?guid=
|
||
47E79C76-D4C2-4086-B695-3CEE71A6B5F3&type=child" class="file"><span style="vertical-align:middle;"><img src="/Folder.png"
|
||
style="border:0;vertical-align:middle" ;=""></span>%20"><[PERSISTENT INJECTED SCRIPT CODE!];)" <<="" a=""></td><td></td>
|
||
<td>2013-02-10 22:57:54</td><td><input name="commit" type="button" value="Delete"
|
||
onclick="DelegateData('/[PERSISTENT INJECTED SCRIPT CODE!]','47E79C76-D4C2-4086-B695-3CEE71A6B5F3');"
|
||
class='button' /></form></td></tr></tbody></table></iframe></a></td></tr><tr><td colspan="5"><span class="total">1 items</span>
|
||
</td></tr></tbody>
|
||
|
||
|
||
Reference(s):
|
||
http://192.168.0.10:41491/
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the local file/path include web vulnerability via POST request method is estimated as high(+).
|
||
|
||
1.2
|
||
The security risk of the persistent input validation web vulnerability is estimated as medium.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |