167 lines
No EOL
8.1 KiB
Text
167 lines
No EOL
8.1 KiB
Text
Document Title:
|
|
===============
|
|
C & C++ for OS - Filter Bypass & Persistent Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1825
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2016-04-14
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1825
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
3.5
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
This is an ios c app,you can learn,run,share c code. The software is a offline compiler for developers with apple iOS.
|
|
Code templates,the contents of the new file is copy from contents of the template file.
|
|
|
|
(Copy of the Homepage: https://itunes.apple.com/us/app/c-for-os-programming-language/id1016290003 )
|
|
|
|
|
|
This is an ios c/c++ app,you can learn,run,share c/c++ code. In(the built-in browser or the txt editor),Select the text to run.
|
|
Code templates,the contents of the new file is copy from contents of the template file.
|
|
|
|
(Copy of the Homepage: https://itunes.apple.com/us/app/c-c++-offline-compiler-for/id1016322367 )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The vulnerability laboratory core research team discovered an application-side validation vulnerability in the official C & C++ for OS web-application (api).
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2016-04-14: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
XiaoWen Huang
|
|
Product: C for OS & C++ - Mobile API (Web-Application) 1.2
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A persistent input validation and mail encode web vulnerability has been discovered in the official C & C++ for OS web-application (api).
|
|
The persistent web vulnerability allows an attacker to inject malicious script codes on the application-side of the vulnerable modules context.
|
|
|
|
The basic validation of the code formular and mask allows to include any type of script codes or programming language without offensive input
|
|
restrictions. Attackers can inject code to a project to share it with another source. In the moment the code of the project is generated to as
|
|
email body, a persistent script code execution occurs.
|
|
|
|
There are two options to exploit, first is to send the malicious mail to the author of the program by the `Mail Author` function. Another possibility
|
|
to execute code in the email body context is to share it with another code editor by email. In both email body message context the injected wrong
|
|
filtered script code execution occurs. The internal encoding of the formular is correctly done but in case of sharing by qr or via message body email
|
|
the execution occurs. The vulnerability is located on the application-side of the iOS application and the request method to inject requires physical
|
|
device access or access to the share function. The bug is present in the C & C++ for OS 1.2 version of the mobile client. Attackers can for example
|
|
generate a QR code with malicious context that is executed in the message body were the code is mainly displayed by the iOS application.
|
|
|
|
The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
|
|
Exploitation of the persistent vulnerability requires a low privileged ios device user account with restricted access and low user interaction.
|
|
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
|
|
sources and application-side manipulation of affected or connected module context.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Share to Authors
|
|
[+] Share by Email
|
|
[+] Share via QR Code
|
|
|
|
Vulnerable Function(s):
|
|
[+] Console
|
|
[+] C or C++
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The persistent vulnerability and mail encoding bug can be exploited by remote attackers with low privileged device user account and low user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
Manual steps to reproduce the vulnerability ...
|
|
1. Install the perl app to your apple iOS device
|
|
2. Start the mobile application
|
|
3. Include to the first variable in the demo code java or html script code and save the entry as c or c++ script
|
|
4. Open the saved entry again and click the top right arrow menu
|
|
5. Now choose Create QR or Share menu button
|
|
6. Open the menu `Mail to Author` or push the default `iOS Mail App` button
|
|
7. Now the code of the formular gets transfered to the email message body context
|
|
Note: The encoding does not parse or encode any inserted values
|
|
8. The email arrives to the target inbox
|
|
9. Open the email and the code executes directly in the message body or next to the generated qr code
|
|
10. Successful reproduce of the filter and validation vulnerability in the c and c++ app api!
|
|
|
|
Note: The bug can be exploited by sending to the author, by sending to another target mail or by transfer of a qr code.
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The vulnerability can be patched by a secure parse and encode of the vulnerable message body context.
|
|
Filter and parse all code values that are included to the message body. Configure the code to plain text not html to prevent
|
|
further persistent injection attacks. In case of emergency use the escape function to separate the mechanism permanently.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the application-side mail encode web vulnerability in the mobile application api is estimated as medium. (CVSS 3.5)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
|
|
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
|
|
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
|
|
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
|
|
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
|
|
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
|
|
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
|
|
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
|
|
|
|
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com |