249 lines
No EOL
10 KiB
Text
249 lines
No EOL
10 KiB
Text
Title:
|
||
======
|
||
Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-02-26
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=883
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
883
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.2
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or
|
||
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer.
|
||
|
||
DOCUMENT READER:
|
||
Support MS Office, iWork, Text & HTML
|
||
MULTIMEDIA PLAYER:
|
||
An ability to in app create your own audio playlist with repeat, shuffle, background playback and remote control from multitask.
|
||
HTTP/FTP PASSWORD PROTECTED:
|
||
Files transfer between PC/Mac with password protected.
|
||
FILE OPERATION:
|
||
Move, Copy, Rename, Delete, Zip, Unzip, UnRAR, Create File and Folder.
|
||
FILE SHARING:
|
||
File sharing with other iPhone/iPad devices via Bluetooth or Wi-Fi connection with automatic search of nearest available devices around you.
|
||
EASY FILE UPLOAD:
|
||
Drag and drop files upload via your PC/Mac web browser or USB via iTunes File Sharing.
|
||
TEXT EDITOR:
|
||
Built-in text editor that allows you to edit your text files or source codes on your iOS device.
|
||
IMPORT/ FILES CREATION:
|
||
An ability to create text files, image captures, video records, voice recordings and import pictures from photo library.
|
||
PASSCODE LOCK:
|
||
An ability to protect your files from viewing by others.
|
||
UNIVERSALITY:
|
||
This app is developed for both iPhone and iPad, you need to purchase only once.
|
||
|
||
AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and
|
||
support most of the file operations: like delete, move, copy, email, share, zip, unzip and more.
|
||
|
||
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-02-26: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Apple
|
||
Product: Wireless Disk PRO 2.3
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Critical
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A local file include web vulnerability via POST request method is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
||
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.
|
||
|
||
The vulnerbility is located in the upload file module of the webserver (http://localhost:6566/) when processing to request a manipulated
|
||
filename via POST. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing
|
||
of the affected module after the file include attack via upload.
|
||
|
||
Exploitation of the vulnerability requires no user interaction and also without application user account (no password standard).
|
||
Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack.
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] File Upload (Web Server) [Remote]
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] filename
|
||
|
||
Affected Module(s):
|
||
[+] File - Index Listing
|
||
|
||
|
||
|
||
1.2
|
||
A local command injection web vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
||
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application.
|
||
|
||
The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can
|
||
change the ipad or iphone device name to system specific commands and file/path requests to provoke the execution when
|
||
processing to watch the index site of the application.
|
||
|
||
Exploitation of the web vulnerability requires a local privilege device user account (standard) without user interaction.
|
||
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or file/path requests.
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] Index
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] device name
|
||
|
||
Affected Module(s):
|
||
[+] Header Device - Index File Dir Listing
|
||
|
||
|
||
|
||
1.3
|
||
A persistent input validation vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
||
The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service.
|
||
|
||
The vulnerability is located in the index file dir listing module of the webserver (http://localhost:6566/) when processing to display
|
||
injected and via POST request method manipulated filenames. The persistent script code will be executed out of the main index file dir
|
||
listing module when the service is processing to list the new malicious injected filename as item.
|
||
|
||
Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account.
|
||
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web
|
||
attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation.
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] File Upload (Web Server) [Remote]
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] name
|
||
|
||
Affected Module(s):
|
||
[+] Filename - Index File Dir Listing
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The file include web vulnerability can be exploited by remote attackers without application user account and also without user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
PoC: (POST)
|
||
-----------------------------243701706111075
|
||
Content-Disposition: form-data; name="file"; filename="[FILE/PATH INCLUDE WEB VULNERABILITY].png"
|
||
Content-Type: image/gif flag: 137
|
||
|
||
|
||
1.2
|
||
The command injection web vulnerability can be exploited by local privilege device user accounts with low required user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
DEVICE NAME: IPad360 <20>337
|
||
|
||
Standard Application Header:
|
||
<div id="header_bottom">The following files are the hosts live from IPad360 <20>337 WirelessDisk App Document folder</div>
|
||
|
||
Manipulated Application Header:
|
||
<div id="header_bottom">The following files are the hosts live from [COMMAND INJECTION VIA DEVICENAME!] WirelessDisk App Document folder</div>
|
||
|
||
|
||
1.3
|
||
The persistent script code injection web vulnerability can be exploited by remote attackers without application user account
|
||
and with medium required user interaction. For demonstration or reproduce ...
|
||
|
||
Review: Index File Dir Listing - Name
|
||
<table id="table1" border="0" cellpadding="1" cellspacing="2" width="741"><tbody><tr><td style="width:461px;background-color:#ebebeb;">
|
||
?? <a href="327.png" target="_blank">327.png</a></td><td style="width:100px;background-color:#e3e3e3;text-align:right;">
|
||
27.27 KB </td><td style="width:180px;text-align:center;background-color:#ebebeb;">2013-02-11 08:07:16</td></tr><tr>
|
||
<td style="width:461px;background-color:#ebebeb;"> ??
|
||
<a href="<[PERSISTENT INJECTED SCRIPT CODE AS NAME!]" target="_blank"><[PERSISTENT INJECTED SCRIPT CODE AS NAME!]>%20%20%20%20</a></td>
|
||
<td style="width:100px;background-color:#e3e3e3;text-align:right;">27.27 KB </td><td style="width:180px;text-align:
|
||
center;background-color:#ebebeb;">2013-02-11 08:07:35</td></tr>
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the local file/path include web vulnerability via POST request method is estimated as critical.
|
||
|
||
1.2
|
||
The security risk of the local command injection vulnerability is estimated as high(-).
|
||
|
||
1.3
|
||
The security risk of the persistent input validation web vulnerability is estimated as medium(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |