189 lines
No EOL
8.3 KiB
Text
189 lines
No EOL
8.3 KiB
Text
Document Title:
|
||
===============
|
||
Wireless Transfer App 3.7 iOS - Multiple Web Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1152
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-12-04
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1152
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
6.7
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
Wireless Transfer App is an easy to use photo and video transfer tool. It helps you easily and quickly transfer photos and videos
|
||
between iPhone and iPad, as well as transfer photos and videos from computer to iPad/iPhone/iPod and vice verse. With Wireless
|
||
Transfer App, you can transfer photos and videos from iPad to iPad, from iPad to iPhone, from iPhone to iPad, from iPhone to iPhone,
|
||
from computer to iPad, from iPhone to computer and more. There is no need for USB cable or extra software. You just need to put your
|
||
devices under the same Wi-Fi network.
|
||
|
||
(Copy of the Homepage: https://itunes.apple.com/en/app/wireless-transfer-app-share/id543119010 & http://www.wirelesstransferapp.com/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple command/path inject vulnerabilities in the Wireless Transfer App v3.7 for apple iOS.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2012-11-30: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Wireless Transfer App COM
|
||
Product: Wireless Transfer App 3.7
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
High
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
A local command/path injection web vulnerability has been discovered in the Wireless Transfer App v3.7 for apple iOS.
|
||
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
|
||
|
||
The vulnerability is located in the in the album name value of the wireless transfer app index and sub category list module.
|
||
Remote attackers are able to manipulate iOS device - `photo app` (default) album names. The execute of the injected
|
||
command/path request occurs in the album sub category list and the main album name index list. The security risk of the
|
||
command/path inject vulnerabilities are estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.7(-).
|
||
|
||
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
|
||
and no direct user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific
|
||
commands or unauthorized path requests.
|
||
|
||
Vulnerable Application(s):
|
||
[+] Wireless Transfer App v3.7
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] album name
|
||
[+] photoGallery_head - album
|
||
|
||
Affected Module(s):
|
||
[+] Index - Album Name List
|
||
[+] Sub Category - Title Album Name List
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
The local command inject web vulnerabilities can be exploited by local low privileged device user accounts with low
|
||
user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
|
||
|
||
Manual steps to exploit the vulnerability ...
|
||
|
||
1. Install the wireless transfer v3.7 iOS mobile application
|
||
2. Open the default Photo app of your iOS device
|
||
3. Include an album with the following payload `">%20<x src=\..\<../var/mobile/Library/[x application path]>` and save it
|
||
4. Switch back to the installed wireless transfer app and start the wifi transfer
|
||
5. Open the local web-server url http://localhost:6688/ (default link)
|
||
6. The local path/command execute occurs in the album name value of the photoGallery_head class
|
||
7. Successful reproduce of the vulnerability!
|
||
|
||
|
||
PoC: Album Name - photoGallery_head in the Album Sub Category List
|
||
|
||
<div class="header">
|
||
<div class="logo"> <a href="index.html"><img src="images/logo.png" alt="logo"></a> </div>
|
||
<div class="title"><a href="index.html"><img src="images/title4.png" alt="logo"></a></div>
|
||
<div class="button"><a href="upload.html"><img src="images/anniuda2.png" alt=" "></a></div>
|
||
<div class="photoGallery_head">
|
||
<div class="phga_hd_left">Album : ">%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoGallery_head CLASS!]></div>
|
||
<div class="phga_hd_right">
|
||
<input value="Zur<75>ck zur Sammlung" class="back" type="button">
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
|
||
PoC: Album Name - photoalbum in the Album Index List
|
||
|
||
<div class="photo_list">
|
||
<dl><dt class="photoalbum" alt="D579B80C-B73D-4A16-9379-FB29A6CFC12C"><a href="albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C">
|
||
<img src="/albumimg_D579B80C-B73D-4A16-9379-FB29A6CFC12C.jpg" height="100" width="100"></a></dt>
|
||
<dd>>%20<x src=\..\<../[COMMAND/PATH INJECT VULNERABILITY IN ALBUM NAME BY photoalbum!]>(125)</dd></dl>
|
||
<dl><dt class="photoalbum" alt="632F9F75-1B7A-41E4-8070-E62B1ECC780A"><a href="albumhtm?id=632F9F75-1B7A-41E4-8070-E62B1ECC780A">
|
||
<img src="/albumimg_632F9F75-1B7A-41E4-8070-E62B1ECC780A.jpg" height="100" width="100"></a></dt><dd>Fotoarchiv(0)</dd></dl>
|
||
<dl><dt class="photoalbum" alt="C44B3062-3A67-4BFA-AF16-04CC8DE2CD29"><a href="albumhtm?id=C44B3062-3A67-4BFA-AF16-04CC8DE2CD29">
|
||
<img src="/albumimg_C44B3062-3A67-4BFA-AF16-04CC8DE2CD29.jpg" height="100" width="100"></a></dt><dd>WallpapersHD(3)</dd></dl>
|
||
|
||
|
||
Reference(s):
|
||
http://localhost:6688/index.html
|
||
http://localhost:6688/albumhtm
|
||
http://localhost:6688/albumhtm?id=
|
||
http://localhost:6688/albumhtm?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
The vulnerability can be patched by a secure encode and parse of the vulnerable album name value.
|
||
Parse and filter also the index and sub category output list to ensure it prevents local command/path requests.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
The security risk of the local command/path inject web vulnerability is estimated as high.
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |