191 lines
8.5 KiB
Text
Executable file
191 lines
8.5 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1152
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-12-04
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1152
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.7
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
|
|
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
|
|
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
|
|
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
|
|
devices under the same Wi-Fi network.
|
|
|
|
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2012-11-30: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Wireless Transfer App COM
|
|
Product: Wireless Transfer App 3.7
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
|
|
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
|
|
|
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
|
|
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
|
|
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
|
|
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
|
|
|
|
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
|
|
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
|
|
commands or unauthorized path requests.
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wireless Transfer App v3.7
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] album name
|
|
[+] photoGallery_head - album
|
|
|
|
Affected Module(s):
|
|
[+] Index - Album Name List
|
|
[+] Sub Category - Title Album Name List
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
|
|
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
|
|
|
|
Manual steps to exploit the vulnerability ...
|
|
|
|
1. Install the wireless transfer v3.7 iOS mobile application
|
|
2. Open the default Photo app of your iOS device
|
|
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
|
|
4. Switch back to the installed wireless transfer app and start the wifi transfer
|
|
5. Open the local web-server url http://localhost:6688/ (default link)
|
|
6. The local path/command execute occurs in the album name value of the photoGallery_head class
|
|
7. Successful reproduce of the vulnerability!
|
|
|
|
|
|
PoC: Album Name - photoGallery_head in the Album Sub Category List
|
|
|
|
<div class="header">
|
|
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
|
|
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
|
|
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
|
|
<div class="photoGallery_head">
|
|
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
|
|
<div class="phga_hd_right">
|
|
<input value="Zur?ck zur Sammlung" class="back" type="button">
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
|
|
PoC: Album Name - photoalbum in the Album Index List
|
|
|
|
<div class="photo_list">
|
|
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
|
|
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
|
|
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
|
|
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
|
|
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
|
|
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
|
|
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
|
|
|
|
|
|
Reference(s):
|
|
http://localhost:6688/index.html
|
|
http://localhost:6688/albumhtm
|
|
http://localhost:6688/albumhtm?id=
|
|
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
|
|
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the local command/path inject web vulnerability is estimated as high.
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|