271 lines
12 KiB
Text
Executable file
271 lines
12 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
Imagam iFiles v1.16.0 iOS - Multiple Web Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1160
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-12-03
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1160
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.9
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
iFiles is the most intuitive file manager for iOS with features like connectivity to many file cloud services,
|
|
transferring files between computer or cloud services, ability to view many file formats (PDF viewer now
|
|
supports annotations, search and more), voice recorder, web downloader, text file editor and more.
|
|
|
|
Supported Online Cloud Services and Protocols: Dropbox, Google Drive, iCloud, Box.net, SkyDrive, SugarSync, AFP
|
|
(Mac Shares), FTP/FTPS, SFTP, Flickr, Picasa, Facebook, Rackspace CloudFiles, CloudApp, PogoPlug, WebDav, Amazon
|
|
S3, Ubuntu One Files, ownCloud, 4Shared, also using Amazon S3: DreamObjects and UltiCloud.
|
|
|
|
( Copy of the Homepage: https://itunes.apple.com/de/app/ifiles/id336683524 & http://imagam.com )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-12-03: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Imagam
|
|
Product: iFiles - Mobile Application iOS 1.16.0
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Critical
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
A file include- & arbitrary file upload web vulnerability has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
|
|
An arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.
|
|
A file include web vulnerability allows a remote attacker to unauthorized include local web-server file requests or external file requests.
|
|
|
|
The vulnerability is located in the vulnerable file- and folder-name value. Remote attackers can include local file requests combined with script code
|
|
to successful exploit the issue. To include to the vulnerable foldername value it is required to manipulate the `create folder` (add) input (POST Method).
|
|
The secound possibility to inject is the vulnerable filename value of the misconfigured (POST Method) upload module. After the include the remote attacker
|
|
can access the included file by requesting the regular index or sub category folder (web interface) site.
|
|
|
|
The arbitrary file upload vulnerability is located in the vulnerable filename value of the upload module. Attackers are also able to upload a php or js
|
|
web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension
|
|
test.jpg.html.js.php.gif.jpg . After the upload the attacker opens the file in the web application to delete the .gif.jpg file extension to access the
|
|
resource with elevated execution access rights.
|
|
|
|
Exploitation of the file include & arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
|
|
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
|
|
|
|
Request Method(s):
|
|
[+] [POST]
|
|
|
|
Vulnerable Module(s):
|
|
[+] File Upload
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] filename (value) - (multiple extensions)
|
|
[+] foldername
|
|
|
|
Affected Module(s):
|
|
[+] File & Folder Dir Listing (http://localhost:8080)
|
|
|
|
|
|
|
|
1.2
|
|
2 local command/path injection web vulnerabilities has been discovered in the official Imagam iFiles v1.16.0 mobile application for apple iOS.
|
|
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
|
|
|
The vulnerability is located in the in the device name value of the file dir und sub category listing module. Local attackers are able to inject
|
|
own malicious system specific commands or path values requests as the iOS device name. The execute of the injected script code occurs in two
|
|
different section with persistent attack vector. The first section is the wifi app web-interface index file/folder dir listing. The secound
|
|
execute occurs in the file/folder sub category listing. The security risk of the local command/path inject vulnerability is estimated as high(-)
|
|
with a cvss (common vulnerability scoring system) count of 6.2(+)|(-)6.3.
|
|
|
|
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
|
|
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
|
|
|
|
|
|
Request Method(s):
|
|
[+] POST to GET
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] devicename
|
|
|
|
Affected Module(s):
|
|
[+] Index- File Dir Listing
|
|
[+] Sub Folder/Category - File Dir Listing
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The file include and arbitrary file upload web vulnerability can be exploited by remote attackers without privileged web application
|
|
user account and also without user interaction. For security demonstration or to reproduce the vulnerability follow the provided
|
|
information and steps below.
|
|
|
|
PoC: foldername
|
|
|
|
<div id="headerHighlight">
|
|
<div id="header">
|
|
|
|
<div class="logo">
|
|
<img src="_device%20folder&path-issue-1_files/icon57.png" alt="icon57" height="57" width="57">
|
|
<h1>iFiles</h1>
|
|
</div>
|
|
|
|
<div class="deviceName">
|
|
<h4>device bkm337? </h4>
|
|
</div>
|
|
<div class="urlDiv">
|
|
<div class="outer">
|
|
<div class="inner">
|
|
<b>/>"<[FILE INCLUDE WEB VULNERABILITY!]%22"_device%20folder&[FILE INCLUDE WEB VULNERABILITY!]%22">x.com/</b>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
PoC: filename (value)
|
|
|
|
<tr id="sfile0" url="/" filename="<EMBED SRC=" data:image"="">
|
|
<td class="fileName">
|
|
<a href="http://192.168.2.106:8080/%3CEMBED%20SRC=" data:image"=""><img class="fileIcon"
|
|
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
|
|
<embed src="data:image%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%09%3C/
|
|
a%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3C/td%3E%0A%20%20%20%20
|
|
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%09%09%09%3Ctd%20class=" filelastmod"="">Mon, 02 Dec 2013 15:50:10 GMT</a></td>
|
|
<td class="fileSize" align="right">--
|
|
<img style="display:none;" class="downloadIcon" src="_device%20folder&path-issue-2_files/downloadIcon.png"
|
|
alt="d" onclick="downloadFile('/<EMBED SRC=" data:image');"="">
|
|
<img class="deleteIcon" src="_device%20folder&path-issue-2_files/deleteIcon.png" alt="x"
|
|
title="Delete this file" onclick="deleteFile('#sfile0');" ="cursor:pointer;"="">
|
|
</td>
|
|
</tr>
|
|
<tr id="sfile1" url="/" filename="[FILE INCLUDE WEB VULNERABILITY!]%22">
|
|
<td class="fileName">
|
|
<a href="http://192.168.2.106:8080/%3E" <[FILE INCLUDE WEB VULNERABILITY!]%22"><img class="fileIcon"
|
|
src="_device%20folder&path-issue-2_files/FolderIcon.png" alt="*">
|
|
>"<[FILE INCLUDE WEB VULNERABILITY!]="_device%20folder&path-issue-2_files/a.htm" <="" a="">
|
|
</td>
|
|
|
|
|
|
1.2
|
|
The local command inject web vulnerability can be exploited by remote attackers with low privileged or restricted iOS device user account
|
|
and no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
|
|
|
PoC: devicename
|
|
|
|
<div id="headerHighlight">
|
|
<div id="header">
|
|
|
|
<div class="logo">
|
|
<img src="device%20name__files/icon57.png" alt="icon57" height="57" width="57">
|
|
<h1>iFiles</h1>
|
|
</div>
|
|
|
|
<div class="deviceName">
|
|
<h4>d4vice><..[COMMAND/PATH INJECT VULNERABILITY!] </h4>
|
|
</div>
|
|
<div class="urlDiv">
|
|
<div class="outer">
|
|
<div class="inner">
|
|
<b>/</b>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
The file include vulnerability and arbitrary file upload vulnerability can be patched by a secure parse and encode of the vulnerable
|
|
filename and foldername values.
|
|
Encode also the vulnerable path sub category file dir listing and the index file dir listing. Recognize the path value.
|
|
|
|
1.2
|
|
To patch the local command inject web vulnerability it is required to encode the deviename value in the index and sub category sites
|
|
to prevent injects or requests.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The security risk of the file include and arbitrary file upload (restricted upload bypass) web vulnerability is estimated as critical.
|
|
|
|
1.2
|
|
The security risk of the local command/path inject web vulnerability is estimated as high(-).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|