245 lines
11 KiB
Text
Executable file
245 lines
11 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
Air Gallery 1.0 Air Photo Browser - Multiple Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1165
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-12-09
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1165
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.5
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
View your entire photo library in a standard web browser! Show off your photos easily! Excellent for showing slides
|
|
during a meeting, browsing through friends photos and more!
|
|
|
|
- View your photos in a browser over WiFi
|
|
- Optional password protection
|
|
- Show albums, events, faces (your photo library needs to have these albums in order to show it)
|
|
- One click slideshows
|
|
- Easy navigation
|
|
- Supports bonjour publishing
|
|
|
|
(Copy of the Homepage: https://itunes.apple.com/app/id499204622 )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-12-09: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
SharkFood
|
|
Product: Air Gallery - Air Photo Browser iOS 1.0
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
High
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
A local command/path injection web vulnerabilities has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
|
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
|
|
|
The vulnerability is located in the vulnerable `devicename` value of the file dir und sub category `header` (header-title) section. Local attackers are
|
|
able to inject own malicious system specific commands or path value requests as the physical iOS hardware devicename. The execute of the injected
|
|
command or path request occurs with persistent attack vector in the index and sub category list of the web interface. The security risk of the local
|
|
command/path inject vulnerability is estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
|
|
|
|
Exploitation of the command/path inject vulnerability requires a low privileged iOS device account with restricted access and no user interaction.
|
|
Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Content > header-title
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] devicename
|
|
|
|
Affected Module(s):
|
|
[+] Index- File Dir Listing
|
|
[+] Sub Folder/Category - File Dir Listing
|
|
|
|
|
|
|
|
1.2
|
|
A local command/path injection web vulnerability has been discovered in the SharkFood Air Gallery 1.0 Air Photo Browser mobile application for Apple iOS.
|
|
A local command inject vulnerability allows attackers to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
|
|
|
The second local command/path inject vulnerability is located in the in the album name value of the web-interface index and sub category list module.
|
|
Local attackers are able to manipulate iOS device `photo app` (default) album names by the inject of a payload to the wrong encoded albumname input fields.
|
|
The execute of the injected command/path request occurs in the album sub category list and the main album name index list. The security risk of the
|
|
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.6(+).
|
|
|
|
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction.
|
|
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or unauthorized path requests.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Poster > group-header > groupinfo
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] album name
|
|
|
|
Affected Module(s):
|
|
[+] Index - Item Name List
|
|
[+] Sub Category - Title List
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
|
|
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
|
|
|
|
|
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
|
|
2. Open the settings menu in the mobile iOS and click the info button to have an influence on the devicename value
|
|
3. Now change the local devicename value to your own script code with a frame + local command inject settings or path request
|
|
4. Save the settings and open the vulnerable mobile application
|
|
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
|
|
6. Open with another computer via browser the local service, the local command inject or unauthorized path request occurs in the header section
|
|
7. Successful reproduce of the local command/path inject vulnerability!
|
|
|
|
|
|
PoC: Content > header-title > devicename
|
|
|
|
<div id="wrapper" class="fullSize">
|
|
<!-- header -->
|
|
<div id="header" class="content">
|
|
<span id="header-title">Air Photo Browser - devicename bkm?37 >"<<>"x<../[COMMAND/PATH INJECT VULNERABILITY!]></span></div>
|
|
<!-- column layout , thanks to Mattew James Tailor! - http://matthewjamestaylor.com/ --> ;)
|
|
<div class="colmask leftmenu" id="content-wrapper">
|
|
<div class="colright">
|
|
<div class="col1wrap">
|
|
<!-- right column -->
|
|
<div class="col1">
|
|
<div style="" id="group-header" class="content ui-helper-hidden">
|
|
<img id="group-poster" class="control-button" src="images/placeholder.png">
|
|
<h3 id="group-info"></h3>
|
|
</div>
|
|
|
|
|
|
1.2
|
|
The local command/path inject web vulnerability can be exploited by local attackers with restricted or low privileged device user account
|
|
without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
|
|
|
|
|
|
1. Install the vulnerable mobile application to your ios device (iphone, mac or ipad)
|
|
2. Open the default photo app in the mobile iOS and click the edit or add button to have an influence on the local albumname value
|
|
Note: Now the attackers is able to change an exisiting albumname or can add a new album (name)
|
|
3. Include your own script code with a frame + local command inject settings or unauthorized path request
|
|
4. Save the settings and open the vulnerable mobile application
|
|
5. Start the web-server via wifi (standard localhost:8080 passwd:empty)
|
|
6. Open with another computer via web-browser the local service (GET method - index)
|
|
Note: The local command inject or unauthorized path request occurs in the groupinfo of the group-header section
|
|
7. Successful reproduce of the local command/path inject vulnerability!
|
|
|
|
|
|
PoC: Poster > group-header > groupinfo
|
|
|
|
<div class="col1">
|
|
<div style="display: block;" id="group-header" class="content ui-helper-hidden">
|
|
<img id="group-poster" class="control-button" src="/api/poster/?group=0&subgroup=0">
|
|
<h3 id="group-info"><b>Photo Library</b> <span id="group-count">0 photos</span></h3>
|
|
</div><div style="height: 380.6px;" id="group-content" class="content airGallery">
|
|
There are no photos in this album</div>
|
|
|
|
|
|
Reference(s):
|
|
http://localhost:8080/
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
The first local command/path inject web vulnerability can be patched by a secure encode and parse of the vulnerable devicename value in
|
|
the web interface header section.
|
|
|
|
1.2
|
|
The second local command/path inject web vulnerability can be patched by a secure parse of the vulnerable albumname value
|
|
in the web interface data context listing section.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The security risk of the local command/path inject web vulnerability is estimated as high(-).
|
|
Local attackers are able to inject own system specific commands but can also unatuhorized request local system path values to
|
|
compromise the apple iOS web-application.
|
|
|
|
1.2
|
|
The security risk of the second local command/path inject web vulnerability is estimated as high(-). Local attackers are able to
|
|
inject own system specific commands but can also unatuhorized request local system path values to
|
|
compromise the apple iOS web-application.
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|