321 lines
14 KiB
Text
Executable file
321 lines
14 KiB
Text
Executable file
Title:
|
|
======
|
|
Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2013-04-21
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=932
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
932
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.1
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Easily access your photo libraries via wifi from any computer with a web browser! Just start the app and enter the
|
|
displayed address into the address bar of your browser. Works with any computer that has a modern browser (like desktop
|
|
or portable computers, iPads, or even an other iPhone) and is on the same wifi network as your phone, iPod or iPad.
|
|
|
|
- You can select and transfer multiple photos at once
|
|
- EXIF metadata is retained in mass-download mode (not in one-by-one mode)
|
|
- Optional password protection for the web interface
|
|
- Can also be used to download videos
|
|
- Transfer in full resolution or scaled down
|
|
- No extra software required
|
|
|
|
(Copy of the Homepage: #1 https://itunes.apple.com/de/app/wifi-photo-transfer-pro/id587468262)
|
|
(Copy of the Homepage: #2 https://itunes.apple.com/de/app/wifi-photo-transfer/id380326191)
|
|
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2013-04-22: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
Apple AppStore
|
|
Product: Wifi Photo Transfer 2.1 & 1.1 Pro
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
A local command injection web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
|
|
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
|
|
|
The vulnerbility is located in the index module when processing to load the ipad or iphone device album names. Local attackers can
|
|
change the ipad or iphone device photo album names to system specific commands and file requests to provoke the execution when
|
|
processing to watch the main index listing. The execution of the script code occurs in the album name web context.
|
|
|
|
Exploitation of the web vulnerability does not require an application user account (standard) or user interaction.
|
|
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.
|
|
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] Index
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] album name - iPad or iPone
|
|
|
|
Affected Module(s):
|
|
[+] Index Listing - Album
|
|
|
|
|
|
|
|
1.2
|
|
A local file include and arbitrary file upload vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
|
|
The vulnerability allows remote attackers via POST method to include unauthorized remote files on the affected webserver file system.
|
|
|
|
Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to
|
|
upload via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the
|
|
secound step by usage of the directory webserver dir listing to compromise the apple iphone or ipad.
|
|
|
|
Exploitation of the local file include web vulnerability does not require user interaction and also no application user account.
|
|
Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file
|
|
include or unauthorized web-server file (webshell) upload attacks.
|
|
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] Compressing archiv to zip
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] lib (cat)
|
|
[+] sel (selection)
|
|
|
|
Affected Module(s):
|
|
[+] File Dir Album Index - Listing
|
|
|
|
|
|
|
|
|
|
1.3
|
|
An information disclosure and information leak misconfiguration is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
|
|
The reported vulnerability allows remote attackers to access unauthorized web-server photos or web-server files by exploitation of a misconfiguration.
|
|
|
|
The secound vulnerability is located in the upload file script of the webserver (http://localhost:2323/) when processing to download with
|
|
a manipulated POST method request all available path files. The attacker can manipulate the lib and sel values in the POST request to download
|
|
unauthorized not accessable photo files. After the iphone or ipad user allowed one time to access the iOS photo service anybody can also
|
|
access not implemented files from the same service folder.
|
|
|
|
Exploitation of the information disclosure web vulnerability does not require user interaction or an application user account.
|
|
Successful exploitation of the information disclosure app vulnerability results in unauthorized photo and webserver file access.
|
|
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] compressprogress
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] filename
|
|
|
|
Affected Module(s):
|
|
[+] zipdownload
|
|
|
|
|
|
|
|
|
|
1.4
|
|
A client side cross site scripting web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
|
|
The vulnerability allows remote attackers to form manipulated urls to inject script code on client side application requests.
|
|
|
|
The client side cross site scripting web vulnerability is located in the path section when processing to request the images via GET with a
|
|
manipulated filename (value) parameter. The vulnerability occurs when a remote attacker is changing the requested file to own script code.
|
|
The request will be executed on client side of the victims browser. The app displays any non existing path with a file request without secure
|
|
encoding which results in the execution of the script code out of the exception error message.
|
|
|
|
Exploitation of the vulnerability does not require an application user account but low or medium user interaction.
|
|
Successful exploitation results in client side cross site requests, unauthorized external redirects, client side phishing,
|
|
client side session hijacking and client side module context manipulation.
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] Path Folder
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] filename (*.html)
|
|
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The local command injection web vulnerability can be exploited by remote attackers without an application user account
|
|
and without user interaction. For demonstration or reproduce ...
|
|
|
|
Manually steps to reproduce ... Command Inject via Foldername
|
|
|
|
1. Install the application from itunes or directly from the appstore
|
|
2. Open the service and make the webserver available via http
|
|
3. Now open for example your iphone or ipad device to sync
|
|
4. Open on your device the standard albums in photos
|
|
5. Change the name of one of your standard album to a path command inject string
|
|
6. Open another device and access the index listing of the application after the album sync
|
|
7. The code will be executed out of the main album name listing
|
|
8. Successful reproduced ...!
|
|
|
|
|
|
PoC: List of image libraries.htm
|
|
|
|
<div class="span5" style="position:absolute;top:50%;margin-top:-10px;">
|
|
<div style="margin-left:30px;"><a href="http://192.168.2.104:2323/1/"
|
|
style="font-size:18px;font-weight:bold;">>%20>"<[<COMMAND/PATH INJECTION>]"List%20of%20image%20libraries_files/x.htm">
|
|
<><>>%20>"<[<COMMAND/PATH INJECTION>]></a></div>
|
|
</div>
|
|
<div class="span3" style="text-align:center;">
|
|
<img class="thumbnail" src="/1/tn_0.jpg"
|
|
alt="" style="max-width:150px;max-height:150px;"/>
|
|
|
|
|
|
|
|
1.2
|
|
The local file web vulnerability can be exploited by remote attackers without an application user account
|
|
and also without user interaction. For demonstration or reproduce ...
|
|
|
|
Manually steps to reproduce ... File Include Vulnerability
|
|
|
|
1. Start your session tamper tool or wireshark on your computer
|
|
2. Install the application on the ipad or iphone device
|
|
3. Start to tamper the http session or filter the http pakets via wireshark
|
|
4. Start the application on your ipad or iphone
|
|
5. Open with a external device (computer > browser) the application
|
|
6. Now process to upload via form a image and hold a request via tamper or record the paket for a secound request
|
|
7. Include atfer choosing a random image a webshell and include (upload) it with a double or tripple (*.php.jpg.gif or *.html.gif) extension
|
|
8. After the upload you only need to refresh the album index and try to request via selection and lib parameter the file
|
|
9. The webshell got unauthorized uploaded and is accessable to compromise the device or app
|
|
10. Successful reproduced!
|
|
|
|
--- POST REQUEST METHOD ---
|
|
lib[2]
|
|
> sel[0,1,2,3,4,5,6,7,8,9] > (Selection Page)
|
|
|
|
|
|
|
|
1.3
|
|
The information disclosure misconfiguration bug can be exploited by remote attackers without an application user account
|
|
and without user interaction. For demonstration or reproduce ...
|
|
|
|
Manually steps to reproduce ... Information Disclosure Misconfiguration
|
|
|
|
1. Start your session tamper tool or wireshark on your computer
|
|
2. Install the application on the ipad or iphone device
|
|
3. Start to tamper the http session or filter the http pakets via wireshark
|
|
4. Start the application on your ipad or iphone
|
|
5. Open with a external device (computer > browser) the application
|
|
6. Press Download zip compressed (http://localhost:2323/startcompressing)
|
|
7. Hold the secound request after the lib and sel POST values has been requested
|
|
8. Watch the content of the request and exchange the images the service requested with the images you want to request (example DIM2736.jpg)
|
|
9. The images you included will be loaded in the zip compressed folder even if the selection was another one
|
|
10. Successful reproduced ... the attacker can now access the images by using the vulnerable iOS app
|
|
|
|
Compressing archive to zip (http://localhost:2323/startcompressing)
|
|
|
|
|
|
Reference(s):
|
|
http://localhost:2323/compressprogress5343040?KXVLHQUDKOURRJHC
|
|
http://localhost:2323/zipdownload/KXVLHQUDKOURRJHC/images.zip
|
|
|
|
|
|
|
|
1.4
|
|
The client side cross site scripting web vulnerability can be exploited by remote attackers without an application user account
|
|
and with medium or high required user interaction. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://localhost:2323/1/tester23/vulnerabilitylab.html%3E%22%3Ciframe%20src=a%3E#7062267329013816800
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the local command injection web vulnerability is estimated as high(-).
|
|
|
|
1.2
|
|
The security risk of the file include / arbitrary file upload vulnerability is estimated as high(+).
|
|
|
|
1.3
|
|
The security risk of the information disclosure misconfiguration bug is estimated as medium.
|
|
|
|
1.4
|
|
The security risk of the client side cross site scripting web vulnerability is estimated as low(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|