226 lines
No EOL
9 KiB
Text
226 lines
No EOL
9 KiB
Text
Title:
|
||
======
|
||
Wireless Photo Access 1.0.10 iOS - Multiple Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-04-27
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=934
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
934
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
5.6
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Is it too difficult to get your photos and videos in original quality from your iPhone or iPad? Simply access them
|
||
from any nearby computer or another iPhone/iPod/iPad using Web Browser without need to install any 3rd party transfer utilities.
|
||
|
||
* Access and download all your photos and videos instantly without iTunes syncing and without installing 3rd party transfer utilities
|
||
* Simply run WiFi Photo Access on your device and point Web Browser on your computer to displayed address
|
||
* One tap download for photos or videoclips (you can also choose to view in current window or view in new window) to another iPhone/iPad
|
||
or any Mac or PC computer
|
||
* Download all videoclips in original and unmodified HD quality (when sending by e-mail all videos are repacked and lose quality, this
|
||
won`t happen with MediaBox)
|
||
* View or download all pictures while preserving all metadata and original quality
|
||
* Show off your pictures directly from your device without need to sync, e-mail or upload
|
||
* Video thumbnails display video size in Mb and duration in seconds
|
||
* Photo Access will prevent auto-lock and screen dim feature so your WiFi connection stays alive until you close the application
|
||
* Configurable custom port that Web Server listens on
|
||
* Optional privacy to deny access to another persons on same local network (username and password authentication)
|
||
* Photo Access requires iOS 4.0 and works on iPhone, iPod and iPad (takes advantage of Retina display on iPhone 4)
|
||
* Location Services needs to be enabled for WiFi MediaBox to be able to access your media files (this is because photos might contain GPS coordinates).
|
||
This is an iOS requirement and your GPS location is not being acquired, nor used for any purpose.
|
||
* If you have Restrictions turned ON, please make sure to Allow Changes for Location Services at least temporarily on first startup so Photo Access
|
||
can get access to your Photos library.
|
||
|
||
(Copy of the Homepage: https://itunes.apple.com/us/app/wifi-mediabox-photo-video/id422804836 )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Wireless Photo Access 1.0.10 iOS app (Apple - iPad|iPhone).
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-04-27: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
Apple AppStore
|
||
Product: Wireless Photo Access 1.0.10
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
1.1
|
||
A local command injection web vulnerability is detected in the mobile Wireless Photo Access 1.0.10 iOS app (Apple - iPad|iPhone).
|
||
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||
|
||
The vulnerbility is located in the index toolbar module when processing to load a ipad or iphone device name. Local attackers can change
|
||
the ipad/iphone device name to system specific commands and file requests to provoke an execution when processing to watch the
|
||
main index listing of the pictures. The execution of the script code occurs in the device name web context when processing to
|
||
display the vulnerable name value.
|
||
|
||
Exploitation of the web vulnerability does not require an application user account with login (standard) or user interaction.
|
||
Successful exploitation of the vulnerability results unauthorized local execution of system specific commands and path requests.
|
||
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Photo Access 1.0.10 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] Toolbar - Index
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] device name
|
||
|
||
Affected Module(s):
|
||
[+] Toolbar Listing - Index
|
||
|
||
|
||
|
||
1.2
|
||
A remote denial of service vulnerability is detected in the mobile Wireless Photo Access 1.0.10 iOS app (Apple - iPad|iPhone).
|
||
The vulnerability allows a remote attackers to crash down the software process of the vulnerable iOS service application.
|
||
|
||
The vulnerability is located in the thumb and img (image) module of the application when processing to request an invalid or non exisiting
|
||
id via url parameter. The non exisiting or invalid id request via GET method results in a stable iOS web-server service app crash.
|
||
|
||
Exploitation of the vulnerability does not require an application user account with login or user interaction.
|
||
Successful exploitation of the denial of service vulnerability results in a stable iOS application and web-server crash.
|
||
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Photo Access 1.0.10 - ITunes or AppStore (Apple)
|
||
|
||
Vulnerable Module(s):
|
||
[+] thumb and img
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] id
|
||
|
||
Affected Module(s):
|
||
[+] Web-Server
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
1.1
|
||
The local command injection web vulnerability can be exploited by remote attackers without an application user account
|
||
and also without user interaction. For demonstration or reproduce ...
|
||
|
||
Manually steps to reproduce ... Command Inject via Album Foldername
|
||
|
||
1. Install the application from itunes or the apple appstore
|
||
2. Start the application on your ipad or iphone
|
||
3. Open the settings menu of iOS and switch to the name of your iOS device
|
||
4. Change the device name to your own malicious string to for a later execution of the command/path injection
|
||
5. Open the localhost web-server of the wireless application and refresh the index listing
|
||
6. The main index toolbar will execute the device name context without secure encoding
|
||
7. Successful reproduced!
|
||
|
||
PoC: Device Name - Toolbar
|
||
|
||
<div class="toolbar">
|
||
<div id="left">
|
||
<div><font style="font-size:13px;"><b>Wireless Photo Access:</b> >%20>"
|
||
<iframe src="Wireless%20Photo%20Access%20for%20iOS_files/a.htm">
|
||
<i>(Free Lite version)</i></font></div>
|
||
</div>
|
||
<div id="right">
|
||
<a href="http://www.xxxxx.sk/wifiaccess"><button
|
||
class="button">Support</button></a>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
1.2
|
||
The remote denial of service vulnerability can be exploited by remote attackers without an application user account or user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
|
||
Standard Request:
|
||
http://localhost:8080/img.jpg?id=22 (IMAGE)
|
||
http://localhost:8080/thumb?id=23 (THUMBNAIL)
|
||
|
||
Manipulated Request:
|
||
http://localhost:8080/img.jpg?id=99999 (IMAGE)
|
||
http://localhost:8080/thumb?id=----- (THUMBNAIL)
|
||
http://localhost:8080/img.jpg?id=AAAAA (IMAGE)
|
||
http://localhost:8080/thumb?id=1+_s (THUMBNAIL)
|
||
|
||
|
||
|
||
|
||
Risk:
|
||
=====
|
||
1.1
|
||
The security risk of the local command/path injection web vulnerability is estimated as high.
|
||
|
||
1.2
|
||
The security risk of the remote denial of service web vulnerability is estimated as medium.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |