300 lines
No EOL
14 KiB
Text
300 lines
No EOL
14 KiB
Text
Document Title:
|
||
===============
|
||
jDisk (stickto) v2.0.3 iOS - Multiple Web Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1196
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2014-02-12
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1196
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
9.4
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
jDisk turns your iPhone`iPad`iPod into a flash drive / disk. jDisk provides a purely web-based management UI, what you
|
||
need do is visit it in your browser, no client installation is needed. What`s more, jDisk embeds a native file manager,
|
||
you can organize your files/folders on your device directly, open files, edit them, preview them, etc. All in all, jDisk
|
||
empowers your iPhone/iPad, make it work as a moving disk / flash drive.
|
||
|
||
(Copy of the Homepage: https://itunes.apple.com/de/app/jdisk-convert-your-device/id604793088 )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official sticktos jDisk v2.0.3 iOS mobile web-application.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2014-02-12: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Apple AppStore
|
||
Product: jDisk (stickto) iOS - Mobile Web Application 2.0.3
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
Critical
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
1.1
|
||
Multiple remote code execution web vulnerabilities has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
|
||
The vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service.
|
||
|
||
The vulnerabilities are located in the `New+ Text file` and `New+ Folder` function of the jdisk wifi application file manager web-interface.
|
||
Remote attackers are able to inject own system specific codes by manipulation of the folder- & file name value in the add procedure.
|
||
The code execution occurs in the main file dir index and sub category listing, the add new edit file but also in the the app status
|
||
notification message context. The security risk of the remote code execution vulnerabilities in the add new folder- & text file function
|
||
are estimated as critical with a cvss (common vulnerability scoring system) count of 9.4(+)|(-)9.5.
|
||
|
||
Exploitation of the code execution vulnerability requires no user interaction or privileged mobile web-application user account with password.
|
||
Successful exploitation of the remote code execution vulnerabilities results in mobile application or connected device component compromise.
|
||
|
||
Request Method(s):
|
||
[+] [POST]
|
||
|
||
Vulnerable Module(s):
|
||
[+] New/Add Folder
|
||
[+] New/Add Text File
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] folder name
|
||
[+] text-file name
|
||
|
||
Affected Module(s):
|
||
[+] Index & Sub Category - File Dir Listing
|
||
[+] Notification Message
|
||
[+] File Edit - Header
|
||
|
||
|
||
1.2
|
||
A directory-traversal web vulnerability has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
|
||
The vulnerability allows remote attackers to unauthorized access system path variables or web-server data to compromise the application.
|
||
|
||
The local vulnerability is located in the `folderContent to folder` value of the mobile application. Remote attackers can exploit the bug
|
||
by usage of a manipulated GET method request to unauthorized access app/device paths or folders. The local issue is a classic directory-traversal
|
||
web vulnerability. The execution of the malicious dt string in the foldercontent to folder path request occurs in the context of the requested
|
||
interface page itself. The security risk of the directory traversal web vulnerability is estimated as high(-) with a cvss (common vulnerability
|
||
scoring system) count of 6.6(+)|(-)6.7.
|
||
|
||
Exploitation of the directory traversal web vulnerability requires no user interaction or privileged mobile web-application user account with password.
|
||
Successful exploitation of the path traversal web vulnerability results in mobile application or connected device component compromise.
|
||
|
||
Request Method(s):
|
||
[+] [GET]
|
||
|
||
Vulnerable Module(s):
|
||
[+] __FD__?action
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] folderContent&folder=
|
||
|
||
Affected Module(s):
|
||
[+] Index & Sub Category - File Dir Listing
|
||
|
||
|
||
|
||
1.3
|
||
A local file include web vulnerability has been discovered in the official sticktos jDisk v2.0.3 iOS mobile web-application.
|
||
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
|
||
specific path commands to compromise the web-application or mobile device.
|
||
|
||
The web vulnerability is located in the `file name` value of the `Upload > Uplaod Files` module POST method request. Remote attackers
|
||
are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the
|
||
request method is POST. The local file/path include execution occcurs in the main file dir index- or sub category item listing of
|
||
the file manager. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability
|
||
scoring system) count of 8.3(+)|(-)8.4.
|
||
|
||
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account
|
||
with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component
|
||
compromise by unauthorized local file include web attacks.
|
||
|
||
Request Method(s):
|
||
[+] [POST]
|
||
|
||
Vulnerable Input(s):
|
||
[+] Upload > Upload Files
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] filename
|
||
|
||
Affected Module(s):
|
||
[+] Index File Dir Item Listing
|
||
[+] Sub Category File Dir Item Listing
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The remote code execution can be exploited by remote attackers without privileged web-application user account or user interaction.
|
||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
|
||
|
||
--- PoC Session Logs [POST] ---
|
||
Status: 200[OK]
|
||
POST http://localhost:12345/__FD__?action=saveFile&path=[VULNERABLE CODE EXECUTION VALUE!] Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Gr<47><72>e des Inhalts[86] Mime Type[text/html]
|
||
Request Header:
|
||
Host[localhost:12345]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Content-Type[application/json; charset=UTF-8]
|
||
X-Requested-With[XMLHttpRequest]
|
||
Referer[http://localhost:12345/]
|
||
Content-Length[14]
|
||
Cookie[jtable%2376270709page-size=10]
|
||
Connection[keep-alive]
|
||
Pragma[no-cache]
|
||
Cache-Control[no-cache]
|
||
POST-Daten:
|
||
{"content":"&path=[VULNERABLE CODE EXECUTION VALUE!]"}[]
|
||
Response Header:
|
||
Accept-Ranges[bytes]
|
||
Content-Length[86]
|
||
Content-Type[text/html]
|
||
Date[Tue, 11 Feb 2014 23:11:06 GMT]
|
||
|
||
|
||
1.2
|
||
The directory-traversal vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
|
||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
|
||
|
||
PoC:
|
||
http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825
|
||
|
||
#{"msg":"","success":true,"data":[{"name":"%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","id":"/%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]","type":"file",
|
||
"size":24386,"changed":"2014-02-12 00:13:49","created":"2014-02-12 00:13:49"}]}
|
||
|
||
--- PoC Session Logs [GET] ---
|
||
Status: 200[OK]
|
||
GET http://localhost:12345/__FD__?action=folderContent&folder=%20%2F..%2F..%2F[DIRECTORY TRAVERSAL WEB VULNERABILITY!]&_dc=1392159953825 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr<47><72>e des Inhalts[35] Mime Type[text/html]
|
||
Request Header:
|
||
Host[localhost:12345]
|
||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
|
||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
|
||
Accept-Encoding[gzip, deflate]
|
||
Cookie[jtable%2376270709page-size=10]
|
||
Connection[keep-alive]
|
||
Response Header:
|
||
Accept-Ranges[bytes]
|
||
Content-Length[35]
|
||
Content-Type[text/html]
|
||
Date[Tue, 11 Feb 2014 23:14:46 GMT]
|
||
|
||
|
||
|
||
|
||
1.3
|
||
The file include vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
|
||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below.
|
||
|
||
PoC:
|
||
|
||
<div class="x-grid-row-checker"> </div></div></td><td class=" x-grid-cell x-grid-cell-gridcolumn-1015 ">
|
||
<div class="x-grid-cell-inner " style="text-align: left; ;"><div style="position:relative;top:3px">
|
||
<img src="JoyfulPhone%C2%AE%20jDisk_file%20include_rename-Dateien/__FD__.txt" style="width:16px;height:16px;"><span style="position:absolute; padding-left: 5px;
|
||
padding-top:0px">>"<[LOCAL FILE INCLUDE VULNERABILITY!].txt">[LOCAL FILE INCLUDE VULNERABILITY!].jpg</span></div></div></td><td
|
||
class=" x-grid-cell x-grid-cell-gridcolumn-1016 " ><div
|
||
class="x-grid-cell-inner " style="text-align: left;
|
||
;">/</div></td><td class=" x-grid-cell
|
||
x-grid-cell-gridcolumn-1017 " ><div class="x-grid-cell-inner "
|
||
style="text-align: right; ;">23.8 KB</div></td><td
|
||
class=" x-grid-cell x-grid-cell-gridcolumn-1018 " ><div
|
||
class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12
|
||
00:13:49</div></td><td class=" x-grid-cell
|
||
x-grid-cell-gridcolumn-1019 x-grid-cell-last" ><div
|
||
class="x-grid-cell-inner " style="text-align: left; ;">2014-02-12
|
||
00:13:49</div></td></tr></tbody></table></iframe></span></div></div></td></tr></tbody></table></div>
|
||
|
||
PoC: rename - text file
|
||
|
||
<td style="width: 100%;" class="x-form-item-body " id="messagebox-1001-testfield-bodyEl" role="presentation" colspan="3">
|
||
<input value=">"<[LOCAL FILE INCLUDE VULNERABILITY!]>[LOCAL FILE INCLUDE VULNERABILITY!].jpg" data-errorqtip="" aria-invalid="false"
|
||
id="messagebox-1001-testfield-inputEl" size="1" name="messagebox-1001-testfield-inputEl" style="width: 100%; -moz-user-select:
|
||
text;" class="x-form-field x-form-text x-form-focus x-field-form-focus x-field-default-form-focus" autocomplete="off" type="text"></td></tr></tbody></table>
|
||
<table id="messagebox-1001-textarea" class="x-field x-form-item x-field-default x-anchor-form-item" style="height: 75px; table-layout: fixed; width: 520px;
|
||
display: none;" cellpadding="0"><tbody><tr id="messagebox-1001-textarea-inputRow"><td id="messagebox-1001-textarea-labelCell" style="display:none;"
|
||
halign="left" class="x-field-label-cell" valign="top" width="105"><label id="messagebox-1001-textarea-labelEl" for="messagebox-1001-textarea-inputEl"
|
||
class="x-form-item-label x-form-item-label-left" style="width:100px;margin-right:5px;"></label></td><td style="width: 100%;" class="x-form-item-body "
|
||
id="messagebox-1001-textarea-bodyEl" role="presentation" colspan="3"><textarea data-errorqtip="" aria-invalid="false" id="messagebox-1001-textarea-inputEl"
|
||
name="messagebox-1001-textarea-inputEl" rows="4" cols="20" class="x-form-field x-form-text" style="width: 100%; height: 75px; -moz-user-select: text;"
|
||
autocomplete="off">
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
1.1
|
||
The security risk of the remote code execution web vulnerabilities are estimated as critical.
|
||
|
||
1.2
|
||
The security risk of the directory traversal web vulnerabilities are estimated as high(-).
|
||
|
||
1.3
|
||
The security risk of the local file include web vulnerabilities are estimated as high(+).
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2014 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |