Document Title:
===============
SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1181
Release Date:
=============
2014-01-28
Vulnerability Laboratory ID (VL-ID):
====================================
1181
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad
and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer.
Store, manage and view MS Office, iWork, PDF files and many more features
Share Files, Photos or Videos:
- Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi
- Download files, photos or videos with any size to your computer via Wi-Fi
- Upload multiple files, photos or videos with any size from your computer to your device via WiFi
- Transfer your files via USB cable (iTunes sync)
- View all your photo albums, videos and files on your device from a computer
- Preserves all photos metadata after transfer
- Slideshow all the photos of an album on a computer (on web browser)
- Display your photos on other iOS devices without transfer/saving them
- Send a short/quick text message from your computer or other iOS devices to your own iDevice
- Email files or photos from your device
Download Files from Internet:
- Download files browsing the Internet
- Tap & Hold on any link or photos to save them in SimpyShare app
- Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office,
iWork, PDF documents etc). Then you can download them by just a single tap.
- Download images automatically by simply tapping on any image in the webpage
File Manager:
- Open or Print Microsoft Office documents (Office ‘97 and newer)
- Open or Print iWork documents
- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
- Play Audio and Video files
- Move, Copy delete files/folder or create new folders
- Save images or videos to Photos Album
- Ability to create folders and organize the files within the folders
- iTunes USB sharing ...
( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-01-28:Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Rambax, LLC - SimplyShare 1.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device.
The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send
text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure
encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module
item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability
scoring system) count of 9.2(+)|(-)9.3.
Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Send Text
Vulnerable Parameter(s):
[+] text
Affected Module(s):
[+] Access from Computer (Send Text Index List - Text Name & Context)
1.2
A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the web-application or mobile device.
The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface).
Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is
persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the
refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common
vulnerability scoring system) count of 7.7(+)|(-)7.8.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized
local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Access from Computer (File Dir Index List - Folder/Category topath=/)
1.3
A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes
as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the
web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability
scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Value(s):
[+] devicename
Vulnerable Parameter(s):
[+] value to title
Affected Module(s):
[+] Access from Computer (File Dir Index List) - [Header]
1.4
Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app.
The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation
of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able
to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject
web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of module context.
Vulnerable Module(s):
[+] Video Folder Name
[+] Photos Folder Name
Vulnerable Parameter(s):
[+] album name values
Affected Module(s):
[+] Access from Computer (Photos & Videos Module)
Proof of Concept (PoC):
=======================
1.1
The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below.
PoC: Send Text
<table class="ui-widget ui-widget-content" style="margin-bottom: 0;">
<thead>
<tr class="ui-widget-header">
<th></th>
<th>Name</th>
<th>Date</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr class="ui-state-default">
<td></td><td colspan="3" class="name"><span class="ui-icon ui-icon-folder-collapsed"></span><a href="https://www.exploit-db.com/?path=/">..</a></td>
</tr>
<tr class="ui-state-default">
<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"=""
filesize="550"></td><td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="https://www.exploit-db.com/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>
--- PoC Session Logs [GET] ---
14:13:14.499[93ms][total 1294ms] Status: 200[OK]
GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URILOAD_INITIAL_DOCUMENT_URI] Content Size[6608] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[6608]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
14:13:14.612[33ms][total 33ms] Status: 200[OK]
GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css]
Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/?path=/Texts]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[22041]
Content-Type[text/css]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
1.2
The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below.
PoC: Upload Files - Filename
<tr class="ui-state-default">
<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" filesize="723" type="checkbox"></td>
<td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="https://www.exploit-db.com/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE VULNERABILITY VIA FILENAME]</a></td>
<td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>
1.3
The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce
the local command inject vulnerability follow the provided steps and information below.
PoC: Title - Header
<body>
<div class="visible-div">
<img src="https://www.exploit-db.com/rambax/server/SimplyShare-icon.png">
<div id="title">bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]</div>
<div id="header-links">
1.4
The persistent input validation web vulnerabilities can be exploited by remote attackers without privileged application user account but with
low or medium user interaction. For security demonstration or to reproduce the persistent vulnerabilities follow the provided steps and information below.
PoC: Albums > name
<div id="albums">
<ul class="column">
<li><div class="block"><a href="https://www.exploit-db.com/rambax/album/0-x"
title="Camera Roll (137)"><img src="https://www.exploit-db.com/rambax/album_poster/0.jpg" class="photo"></a><span>Camera Roll (137)</span></div></li>
<li><div class="block">
<a href="https://www.exploit-db.com/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img src="https://www.exploit-db.com/rambax/album_poster/1.jpg"
class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT CODE!]> (1)</span></div></li>
</ul>
</div>
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure restriction and encode of the send text input field with the text value parameter.
Ensure the output send text item list module only displays secure parsed, encoded and validated context.
1.2
The second vulnerability can be patched by a secure parse and encode of the file name value parameter in the Upload File POST method request.
1.3
The third vulnerability can be patched by encoding the header section with the title value parameter to prevent physical command injection attacks.
1.4
Encode the photo album and video names to prevent persistent script code injection attacks by local stored album components of the foto (photo) app.
Security Risk:
==============
1.1
The security risk of the remote code exection vulnerability is estimated as critical.
1.2
The security risk of the local file include web vulnerability is estimated as high(+).
1.3
The security risk of the local command inject web vulnerability is estimated as high(-).
1.4
The security risk of the persistent script code inject web vulnerabilities via POST method request are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com