251 lines
10 KiB
Text
Executable file
251 lines
10 KiB
Text
Executable file
Title:
|
|
======
|
|
Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2013-02-26
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=883
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
883
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.2
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or
|
|
PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer.
|
|
|
|
DOCUMENT READER:
|
|
Support MS Office, iWork, Text & HTML
|
|
MULTIMEDIA PLAYER:
|
|
An ability to in app create your own audio playlist with repeat, shuffle, background playback and remote control from multitask.
|
|
HTTP/FTP PASSWORD PROTECTED:
|
|
Files transfer between PC/Mac with password protected.
|
|
FILE OPERATION:
|
|
Move, Copy, Rename, Delete, Zip, Unzip, UnRAR, Create File and Folder.
|
|
FILE SHARING:
|
|
File sharing with other iPhone/iPad devices via Bluetooth or Wi-Fi connection with automatic search of nearest available devices around you.
|
|
EASY FILE UPLOAD:
|
|
Drag and drop files upload via your PC/Mac web browser or USB via iTunes File Sharing.
|
|
TEXT EDITOR:
|
|
Built-in text editor that allows you to edit your text files or source codes on your iOS device.
|
|
IMPORT/ FILES CREATION:
|
|
An ability to create text files, image captures, video records, voice recordings and import pictures from photo library.
|
|
PASSCODE LOCK:
|
|
An ability to protect your files from viewing by others.
|
|
UNIVERSALITY:
|
|
This app is developed for both iPhone and iPad, you need to purchase only once.
|
|
|
|
AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and
|
|
support most of the file operations: like delete, move, copy, email, share, zip, unzip and more.
|
|
|
|
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2013-02-26: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
Apple
|
|
Product: Wireless Disk PRO 2.3
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Critical
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
A local file include web vulnerability via POST request method is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
|
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.
|
|
|
|
The vulnerbility is located in the upload file module of the webserver (http://localhost:6566/) when processing to request a manipulated
|
|
filename via POST. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing
|
|
of the affected module after the file include attack via upload.
|
|
|
|
Exploitation of the vulnerability requires no user interaction and also without application user account (no password standard).
|
|
Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack.
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] File Upload (Web Server) [Remote]
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] filename
|
|
|
|
Affected Module(s):
|
|
[+] File - Index Listing
|
|
|
|
|
|
|
|
1.2
|
|
A local command injection web vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
|
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application.
|
|
|
|
The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can
|
|
change the ipad or iphone device name to system specific commands and file/path requests to provoke the execution when
|
|
processing to watch the index site of the application.
|
|
|
|
Exploitation of the web vulnerability requires a local privilege device user account (standard) without user interaction.
|
|
Successful exploitation of the vulnerability results unauthorized execution of system specific commands or file/path requests.
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] Index
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] device name
|
|
|
|
Affected Module(s):
|
|
[+] Header Device - Index File Dir Listing
|
|
|
|
|
|
|
|
1.3
|
|
A persistent input validation vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad & iphone.
|
|
The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service.
|
|
|
|
The vulnerability is located in the index file dir listing module of the webserver (http://localhost:6566/) when processing to display
|
|
injected and via POST request method manipulated filenames. The persistent script code will be executed out of the main index file dir
|
|
listing module when the service is processing to list the new malicious injected filename as item.
|
|
|
|
Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account.
|
|
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web
|
|
attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation.
|
|
|
|
Vulnerable Application(s):
|
|
[+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple)
|
|
|
|
Vulnerable Module(s):
|
|
[+] File Upload (Web Server) [Remote]
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] name
|
|
|
|
Affected Module(s):
|
|
[+] Filename - Index File Dir Listing
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1
|
|
The file include web vulnerability can be exploited by remote attackers without application user account and also without user interaction.
|
|
For demonstration or reproduce ...
|
|
|
|
PoC: (POST)
|
|
-----------------------------243701706111075
|
|
Content-Disposition: form-data; name="file"; filename="[FILE/PATH INCLUDE WEB VULNERABILITY].png"
|
|
Content-Type: image/gif flag: 137
|
|
|
|
|
|
1.2
|
|
The command injection web vulnerability can be exploited by local privilege device user accounts with low required user interaction.
|
|
For demonstration or reproduce ...
|
|
|
|
DEVICE NAME: IPad360 ?337
|
|
|
|
Standard Application Header:
|
|
<div id="header_bottom">The following files are the hosts live from IPad360 ?337 WirelessDisk App Document folder</div>
|
|
|
|
Manipulated Application Header:
|
|
<div id="header_bottom">The following files are the hosts live from [COMMAND INJECTION VIA DEVICENAME!] WirelessDisk App Document folder</div>
|
|
|
|
|
|
1.3
|
|
The persistent script code injection web vulnerability can be exploited by remote attackers without application user account
|
|
and with medium required user interaction. For demonstration or reproduce ...
|
|
|
|
Review: Index File Dir Listing - Name
|
|
<table id="table1" border="0" cellpadding="1" cellspacing="2" width="741"><tbody><tr><td style="width:461px;background-color:#ebebeb;">
|
|
?? <a href="327.png" target="_blank">327.png</a></td><td style="width:100px;background-color:#e3e3e3;text-align:right;">
|
|
27.27 KB </td><td style="width:180px;text-align:center;background-color:#ebebeb;">2013-02-11 08:07:16</td></tr><tr>
|
|
<td style="width:461px;background-color:#ebebeb;"> ??
|
|
<a href="<[PERSISTENT INJECTED SCRIPT CODE AS NAME!]" target="_blank"><[PERSISTENT INJECTED SCRIPT CODE AS NAME!]>%20%20%20%20</a></td>
|
|
<td style="width:100px;background-color:#e3e3e3;text-align:right;">27.27 KB </td><td style="width:180px;text-align:
|
|
center;background-color:#ebebeb;">2013-02-11 08:07:35</td></tr>
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the local file/path include web vulnerability via POST request method is estimated as critical.
|
|
|
|
1.2
|
|
The security risk of the local command injection vulnerability is estimated as high(-).
|
|
|
|
1.3
|
|
The security risk of the persistent input validation web vulnerability is estimated as medium(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|