243 lines
No EOL
11 KiB
Text
243 lines
No EOL
11 KiB
Text
Document Title:
|
||
===============
|
||
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1165
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-12-09
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1165
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.5
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
View your entire photo library in a standard web browser! Show off your photos easily! Excellent for showing slides
|
||
during a meeting, browsing through friends photos and more!
|
||
|
||
- View your photos in a browser over WiFi
|
||
- Optional password protection
|
||
- Show albums, events, faces (your photo library needs to have these albums in order to show it)
|
||
- One click slideshows
|
||
- Easy navigation
|
||
- Supports bonjour publishing
|
||
|
||
(Copy of the Homepage: https://itunes.apple.com/app/id499204622 )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2013-12-09: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
SharkFood
|
||
Product: Air Gallery - Air Photo Browser iOS 1.0
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
High
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
1.1
|
||
A local command/path injection web vulnerabilities has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
||
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||
|
||
The vulnerability is located in the vulnerable `devicename` value of the file dir und sub category `header` (header-title) section. Local attackers are
|
||
able to inject own malicious system specific commands or path value requests as the physical iOS hardware devicename. The execute of the injected
|
||
command or path request occurs with persistent attack vector in the index and sub category list of the web interface. The security risk of the local
|
||
command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
|
||
|
||
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
|
||
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Content > header-title
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] devicename
|
||
|
||
Affected Module(s):
|
||
[+] Index- File Dir Listing
|
||
[+] Sub Folder/Category - File Dir Listing
|
||
|
||
|
||
|
||
1.2
|
||
A local command/path injection web vulnerability has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
||
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||
|
||
The second local command/path inject vulnerability is located in the in the album name value of the web-interface index and sub category list module.
|
||
Local attackers are able to manipulate iOS device `photo app` (default) album names by the inject of a payload to the wrong encoded albumname input fields.
|
||
The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the
|
||
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+).
|
||
|
||
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction.
|
||
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Poster > group-header > groupinfo
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] album name
|
||
|
||
Affected Module(s):
|
||
[+] Index - Item Name List
|
||
[+] Sub Category - Title List
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
|
||
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
||
|
||
|
||
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
|
||
2. Open the settings menu in the mobile iOS and click the info button to have an influence on the devicename value
|
||
3. Now change the local devicename value to your own script code with a frame + local command inject settings or path request
|
||
4. Save the settings and open the vulnerable mobile application
|
||
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
|
||
6. Open with another computer via browser the local service, the local command inject or unauthorized path request occurs in the header section
|
||
7. Successful reproduce of the local command/path inject vulnerability!
|
||
|
||
|
||
PoC: Content > header-title > devicename
|
||
|
||
<div id="wrapper" class="fullSize">
|
||
<!-- header -->
|
||
<div id="header" class="content">
|
||
<span id="header-title">Air Photo Browser - devicename bkm<6B>37 >"<<>"x<../[COMMAND/PATH INJECT VULNERABILITY!]></span></div>
|
||
<!-- column layout , thanks to Mattew James Tailor! - http://matthewjamestaylor.com/ --> ;)
|
||
<div class="colmask leftmenu" id="content-wrapper">
|
||
<div class="colright">
|
||
<div class="col1wrap">
|
||
<!-- right column -->
|
||
<div class="col1">
|
||
<div style="" id="group-header" class="content ui-helper-hidden">
|
||
<img id="group-poster" class="control-button" src="images/placeholder.png">
|
||
<h3 id="group-info"></h3>
|
||
</div>
|
||
|
||
|
||
1.2
|
||
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
|
||
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
||
|
||
|
||
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
|
||
2. Open the default photo app in the mobile iOS and click the edit or add button to have an influence on the local albumname value
|
||
Note: Now the attackers is able to change an exisiting albumname or can add a new album (name)
|
||
3. Include your own script code with a frame + local command inject settings or unauthorized path request
|
||
4. Save the settings and open the vulnerable mobile application
|
||
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
|
||
6. Open with another computer via web-browser the local service (GET method - index)
|
||
Note: The local command inject or unauthorized path request occurs in the groupinfo of the group-header section
|
||
7. Successful reproduce of the local command/path inject vulnerability!
|
||
|
||
|
||
PoC: Poster > group-header > groupinfo
|
||
|
||
<div class="col1">
|
||
<div style="display: block;" id="group-header" class="content ui-helper-hidden">
|
||
<img id="group-poster" class="control-button" src="/api/poster/?group=0&subgroup=0">
|
||
<h3 id="group-info"><b>Photo Library</b> <span id="group-count">0 photos</span></h3>
|
||
</div><div style="height: 380.6px;" id="group-content" class="content airGallery">
|
||
There are no photos in this album</div>
|
||
|
||
|
||
Reference(s):
|
||
http://localhost:8080/
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
1.1
|
||
The first local command/path inject web vulnerability can be patched by a secure encode and parse of the vulnerable devicename value in
|
||
the web interface header section.
|
||
|
||
1.2
|
||
The second local command/path inject web vulnerability can be patched by a secure parse of the vulnerable albumname value
|
||
in the web interface data context listing section.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
1.1
|
||
The security risk of the local command/path inject web vulnerability is estimated as high(-).
|
||
Local attackers are able to inject own system specific commands but can also unatuhorized request local system path values to
|
||
compromise the apple iOS web-application.
|
||
|
||
1.2
|
||
The security risk of the second local command/path inject web vulnerability is estimated as high(-). Local attackers are able to
|
||
inject own system specific commands but can also unatuhorized request local system path values to
|
||
compromise the apple iOS web-application.
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |