210 lines
No EOL
8.7 KiB
Text
210 lines
No EOL
8.7 KiB
Text
Document Title:
|
|
===============
|
|
Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1172
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-12-19
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1172
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
7.4
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
ong Exporter Pro lets you transfer via Wi-Fi the songs you have in your iPhone, iPod touch or iPad to any
|
|
computer in your network. No iTunes required. Now you can backup your songs, share them with your friends
|
|
and workmates, and stream them directly to almost any media player! The ability to directly access your
|
|
own music on your iPhone is something that Apple should have built into their iOS devices, but Song
|
|
Exporter Pro fills that void quite nicely. This is an app that everyone should get. Song Exporter Pro is
|
|
a must have app if you love to share your music with friends. They nailed such a basic essential need
|
|
that is a major pain point for iOS devices users. It`s reliable, lightweight and easy to use.
|
|
|
|
(Copy of the Homepage: https://itunes.apple.com/us/app/song-exporter-pro/id421646421 )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Rocha Software Song Exporter 2.1.1 Pro iOS mobile application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-12-19: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Rocha Software
|
|
Product: Song Exporter - Mobile Web Application (iOS) 2.1.1
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A local file/path include web vulnerability has been discovered in the official Rocha Software Song Exporter 2.1.1 Pro mobile web-application for apple iOS.
|
|
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to
|
|
compromise the web-application or device.
|
|
|
|
The local file include web vulnerability is located in the vulnerable `artist`,`album`,`name(filename)` value of the `Index File Dir List` module (web-interface).
|
|
Remote attackers are able to sync via itunes own files with malicious filename, artist titel or album name. The attack vector is persistent and the request
|
|
method is GET. The local file/path include execute occcurs in the main `file dir index` list. The security risk of the local file include web vulnerability
|
|
is estimated as high(-) with a cvss (common vulnerability scoring system) count of 7.4(+)|(-)7.5.
|
|
|
|
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
|
|
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
|
|
local file include web attacks.
|
|
|
|
|
|
Vulnerable Input(s):
|
|
[+] Song Exporter Pro - Index Song Dir List
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] Name (filename)
|
|
[+] Artist (name)
|
|
[+] Album (name)
|
|
|
|
Affected Module(s):
|
|
[+] Index File Dir List (http://localhost:8080)
|
|
[+] Songs Path (http://localhost:8080/songs/)
|
|
[+] File - Unicode Playlist
|
|
[+] File - Playlist
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The local file include web vulnerabilities can be exploited by local attackers with physical device access or restricted user accounts without
|
|
user interaction. For security demonstration or to reproduce follow the provided information and steps below.
|
|
|
|
PoC: Name (filename)
|
|
|
|
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
|
|
<thead><tr>
|
|
<th class="asc" width="60"><h3>Pos</h3></th>
|
|
<th class="head" width="300"><h3>Name</h3></th>
|
|
<th class="head" width="60"><h3>Time</h3></th>
|
|
<th class="head" width="180"><h3>Artist</h3></th>
|
|
<th class="head" width="180"><h3>Album</h3></th>
|
|
</tr></thead>
|
|
<tbody>
|
|
<tr class="evenrw"><td class="evensl" align="right">1</td>
|
|
<td><a href="http://localhost:8080/songs/../[LOCAL FILE INCLUDE VULNERABILITY!]\.mp3">[LOCAL FILE INCLUDE VULNERABILITY!].mp3</a></td>
|
|
<td align="right">3:27</td>
|
|
<td>Blumentopf</td>
|
|
<td>Wir</td></tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
PoC: Artist (name)
|
|
|
|
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
|
|
<thead><tr>
|
|
<th class="asc" width="60"><h3>Pos</h3></th>
|
|
<th class="head" width="300"><h3>Name</h3></th>
|
|
<th class="head" width="60"><h3>Time</h3></th>
|
|
<th class="head" width="180"><h3>Artist</h3></th>
|
|
<th class="head" width="180"><h3>Album</h3></th>
|
|
</tr></thead>
|
|
<tbody>
|
|
<tr class="evenrw"><td class="evensl" align="right">1</td>
|
|
<td><a href="http://localhost:8080/songs/Blumentopf/Wir/Systemfuck.mp3">Systemfuck.mp3</a></td>
|
|
<td align="right">3:27</td>
|
|
<td>../[LOCAL FILE INCLUDE VULNERABILITY!]\</td>
|
|
<td>Wir</td></tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
|
|
PoC: Album (name)
|
|
|
|
<table style="width:780px" id="maintable" border="0" cellpadding="0" cellspacing="0">
|
|
<thead><tr>
|
|
<th class="asc" width="60"><h3>Pos</h3></th>
|
|
<th class="head" width="300"><h3>Name</h3></th>
|
|
<th class="head" width="60"><h3>Time</h3></th>
|
|
<th class="head" width="180"><h3>Artist</h3></th>
|
|
<th class="head" width="180"><h3>Album</h3></th>
|
|
</tr></thead>
|
|
<tbody>
|
|
<tr class="evenrw"><td class="evensl" align="right">1</td>
|
|
<td><a href="http://localhost:8080/songs/Blumentopf/Wir/Systemfuck.mp3">Systemfuck.mp3</a></td>
|
|
<td align="right">3:27</td>
|
|
<td>Blumentopf</td>
|
|
<td>../[LOCAL FILE INCLUDE VULNERABILITY!]\</td></tr>
|
|
</tbody>
|
|
</table>
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The vulnerability can be patched by a secure encode and parse of the vulnerable artist name, song filename and album values.
|
|
Encode and restrict also the direct songs folder path with the html file dir list.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the local file include web vulnerability in the filename value is estimated as high(-).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com |