154 lines
No EOL
6.1 KiB
Text
154 lines
No EOL
6.1 KiB
Text
Title:
|
||
======
|
||
Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-06-11
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=970
|
||
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
970
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
3.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Mobile Atlas Creator (formerly known as TrekBuddy Atlas Creator) is an open source (GPL) program which creates offline atlases
|
||
for GPS handhelds and cell phone applications like TrekBuddy, AndNav and other Android and WindowsCE based applications. For the
|
||
full list of supported applications please see the features section. Additionally individual maps can be exported as one large
|
||
PNG image with calibration MAP file for OziExplorer. As source for an offline atlas Mobile Atlas Creator can use a large number
|
||
of different online maps such as OpenStreetMap and other online map providers.
|
||
|
||
http://mobac.sourceforge.net/
|
||
http://mobac.sourceforge.net/MOBAC/CHANGELOG.txt
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Security Team discovered a persistent vulnerability & local command path inject bug in the Mobile Atlas Creator 1.9.12 (2116) software.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2013-05-02: Researcher Notification & Coordination (Ateeq Khan)
|
||
2013-05-03: Vendor Notification (MOB - Developer Team)
|
||
2013-05-03: Vendor Response/Feedback (MOB - Developer Team)
|
||
2013-05-29: Vendor Fix/Patch (MOB - Developer Team)
|
||
2013-06-11: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
MOBAC
|
||
Product: Mobile Atlas Creator 1.9.12
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Medium
|
||
|
||
|
||
Details:
|
||
========
|
||
Due to the fact that proper user input sanatization is not being performed, it is possible to inject user specified HTML code
|
||
within the Atlas Mobile Creator Application. Besides HTML Injection, Local Command Path Injecton is also Possible. Other
|
||
interesting behaviour includes that if you use <script>alert(1)</script> you will get an exception error and application will
|
||
show you an error window. Upon further investigation, I was also able to load files from my local system where the
|
||
application is installed.
|
||
|
||
The bug exists in the Name FIeld while creating a New Atlas Map. A Malicious Attacker can save the script code as an Atlas Map
|
||
file and send it to unknown victims. This surely makes this bug very interesting. Please also note, I was able to cause multiple
|
||
types of exception errors while trying different payloads which means there is a possibility of multiple attack vectors through
|
||
the same vulnerable name field.
|
||
|
||
|
||
Vulnerable Module(s)
|
||
[+] Create New Map
|
||
|
||
Vulnerable Field(s)
|
||
[+] Name
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The vulnerability can be exploited by local attackers with low privilege system user account and low user interaction.
|
||
For demonstration or reproduce ...
|
||
|
||
Manually steps to reproduce ...
|
||
|
||
1) Install and open atlas software
|
||
2) In the menu, goto Atlas -> New Atlas
|
||
3) Use the following payload as the Atlas name >"<iframe src=http://www.vulnerability-lab.com
|
||
4) Click OK to save the input with the non-malicious test frame
|
||
5) Right click on the Atlas Content and click the Show Details menu button
|
||
6) The script code with the test frame will be executed in the main software when processing to load the show details function of the main listing module.
|
||
|
||
Note: If you use <script>alert(1)</script> you will get an exception error and application will show you an error window.redisplay
|
||
|
||
|
||
Solution:
|
||
=========
|
||
Proper user input sanatization should be performed and all special / illegal characters should be filtered out to prevent any such / similar attacks.
|
||
|
||
|
||
Risk:
|
||
=====
|
||
The security risk of the persistent input validation vulnerabilities and local command path inject vulnerabilities are estimated as medium(+)|(-)high.
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Ateeq Khan (khan@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |