153 lines
No EOL
6.9 KiB
Text
153 lines
No EOL
6.9 KiB
Text
Document Title:
|
||
===============
|
||
ChatSecure IM v2.2.4 iOS - Persistent Web Vulnerability
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1317
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2014-09-10
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1317
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
5.9
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
Free unlimited messaging with your friends over Facebook Chat, GChat & more! Works with iPhone, Mac, Linux or PC and
|
||
mobile devices. Secure Chat is an open source, encryption-capable chat program that Cypher Punks Off-the-Record protocol
|
||
used to protect a conversation about XMPP (Google Talk, Jabber, etc) or Oscar (AIM). Forking on Github!
|
||
|
||
( Copy of the Homepage: https://itunes.apple.com/de/app/chatsecure-verschlusselter/id464200063 )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the ChatSecure IM v2.2.4 iOS mobile web-application.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2014-09-10: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Chris Ballinger
|
||
Product: ChatSecure IM - iOS Mobile Web Application 2.2.4
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
High
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
A persistent input validation web vulnerability has been discovered in the ChatSecure IM v2.2.4 iOS mobile web-application.
|
||
The vulnerability allows an attacker to inject own malicious script codes to the application-side of the chat im ios app.
|
||
|
||
The issue is located in the main message body context. During the tests we discovered that the chat message validation
|
||
impact a misconfiguration. In the message body context it is possible to inject persistent script code in splitted combination.
|
||
The attacker activates the chat interact with a victim and can send malicious messages that compromise the other device on
|
||
interaction. The validation parses script code tags but does not secure validate embed script codes with onload in object tags.
|
||
|
||
The security risk of the local persistent vulnerability in the chat message body is estimated as high with a cvss (common vulnerability
|
||
scoring system) count of 6.0. Exploitation of the application-side vulnerability requires no privileged app user account or user interaction.
|
||
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious
|
||
source and persistent manipulation of affected or connected module context.
|
||
|
||
Request Method(s):
|
||
[+] [Bluetooth - Nearby Sync]
|
||
|
||
Vulnerable Module(s):
|
||
[+] Message Board Index
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] message body context
|
||
|
||
Affected Module(s):
|
||
[+] Message Board Index - Chat Index
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
The persistent input validation web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction.
|
||
For security demonstration or to reproduce the web vulnerability follow the provided steps and information below to continue.
|
||
|
||
1. Install the mobile application chat iOS app (https://itunes.apple.com/de/app/chatsecure-verschlusselter/id464200063)
|
||
2. Interact with an user account and inject the payload to the message body
|
||
3. The code executes at both sites of the user clients on the application-side of the service
|
||
4. Successful reproduce of the vulnerability!
|
||
|
||
PoC: Payload #1
|
||
<EMBED SRC="data:image/svg+xml;base64,JTIwPiI8PGlmcmFtZSBzcmM9aHR0cDovL3Z1bG4tbGFiLmNvbSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSA8" type="image/svg+xml" AllowScriptAccess="always"></EMBED>
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
The vulnerability can be patched by a secure parse and encode of embed script codes in connection object tags.
|
||
Filter the message body and restrict the input to disallow special char injection with application-side attack vector.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
The security risk of the persistent input validation web vulnerability in the secure chat im is estimated as high.
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
|
||
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
|
||
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
|
||
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
|
||
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
|
||
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2014 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |