SimplyShare 1.4 iOS – Multiple Vulnerabilities

  • 作者: Vulnerability-Lab
    日期: 2014-01-29
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/31258/
  • Document Title:
    ===============
    SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
    
    
    References (Source):
    ====================
    http://www.vulnerability-lab.com/get_content.php?id=1181
    
    
    Release Date:
    =============
    2014-01-28
    
    
    Vulnerability Laboratory ID (VL-ID):
    ====================================
    1181
    
    
    Common Vulnerability Scoring System:
    ====================================
    9.2
    
    
    Product & Service Introduction:
    ===============================
    SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad 
    and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer.
    Store, manage and view MS Office, iWork, PDF files and many more features
    
    Share Files, Photos or Videos:
    - Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi
    - Download files, photos or videos with any size to your computer via Wi-Fi
    - Upload multiple files, photos or videos with any size from your computer to your device via WiFi
    - Transfer your files via USB cable (iTunes sync)
    - View all your photo albums, videos and files on your device from a computer
    - Preserves all photos metadata after transfer
    - Slideshow all the photos of an album on a computer (on web browser)
    - Display your photos on other iOS devices without transfer/saving them
    - Send a short/quick text message from your computer or other iOS devices to your own iDevice
    - Email files or photos from your device
    
    Download Files from Internet:
    - Download files browsing the Internet
    - Tap & Hold on any link or photos to save them in SimpyShare app
    - Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office, 
    iWork, PDF documents etc). Then you can download them by just a single tap.
    - Download images automatically by simply tapping on any image in the webpage
    
    File Manager:
    - Open or Print Microsoft Office documents (Office ‘97 and newer)
    - Open or Print iWork documents
    - View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
    - Play Audio and Video files
    - Move, Copy delete files/folder or create new folders
    - Save images or videos to Photos Album
    - Ability to create folders and organize the files within the folders
    - iTunes USB sharing ...
    
    ( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 ) 
    
    
    Abstract Advisory Information:
    ==============================
    The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application.
    
    
    Vulnerability Disclosure Timeline:
    ==================================
    2013-01-28:Public Disclosure (Vulnerability Laboratory)
    
    
    Discovery Status:
    =================
    Published
    
    
    Affected Product(s):
    ====================
    Apple AppStore
    Product: Rambax, LLC - SimplyShare 1.4
    
    
    Exploitation Technique:
    =======================
    Remote
    
    
    Severity Level:
    ===============
    Critical
    
    
    Technical Details & Description:
    ================================
    1.1
    A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
    Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device.
    
    The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send 
    text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure 
    encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module 
    item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability 
    scoring system) count of 9.2(+)|(-)9.3.
    
    Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password. 
    Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise.
    
    
    Request Method(s):
    				[+] [POST]
    
    Vulnerable Module(s):
    				[+] Send Text
    
    Vulnerable Parameter(s):
    				[+] text
    
    Affected Module(s):
    				[+] Access from Computer (Send Text Index List - Text Name & Context)
    
    
    
    1.2
    A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
    The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system 
    specific path commands to compromise the web-application or mobile device.
    
    The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface).
    Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is 
    persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the 
    refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common 
    vulnerability scoring system) count of 7.7(+)|(-)7.8.
    
    Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
    Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized 
    local file include web attacks.
    
    Request Method(s):
    				[+] [POST]
    
    Vulnerable Input(s):
    				[+] Upload Files
    
    Vulnerable Parameter(s):
    				[+] filename
    
    Affected Module(s):
    				[+] Access from Computer (File Dir Index List - Folder/Category topath=/)
    
    
    
    1.3
    A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
    The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application.
    
    The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes 
    as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the 
    web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability 
    scoring system) count of 6.2(+)|(-)6.3.
    
    Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access 
    and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific 
    commands or unauthorized path requests.
    
    Request Method(s):
    				[+] [GET]
    
    Vulnerable Value(s):
    				[+] devicename 
    
    Vulnerable Parameter(s):
    				[+] value to title
    
    Affected Module(s):
    				[+] Access from Computer (File Dir Index List) - [Header]
    
    
    
    
    1.4
    Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application.
    The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app.
    
    The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation 
    of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able 
    to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject 
    web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
    
    Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password. 
    Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, 
    persistent phishing or persistent manipulation of module context.
    
    
    Vulnerable Module(s):
    				[+] Video Folder Name
    				[+] Photos Folder Name
    
    Vulnerable Parameter(s):
    				[+] album name values
    
    Affected Module(s):
    				[+] Access from Computer (Photos & Videos Module)
    
    
    Proof of Concept (PoC):
    =======================
    1.1
    The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account.
    For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below.
    
    PoC: Send Text
    
    <table class="ui-widget ui-widget-content" style="margin-bottom: 0;"> 
    				<thead> 
    					<tr class="ui-widget-header"> 
    						<th></th>
    						<th>Name</th> 
    						<th>Date</th> 
    						<th>Size</th> 
    					</tr> 
    				</thead> 
    				<tbody>
    <tr class="ui-state-default">
    <td></td><td colspan="3" class="name"><span class="ui-icon ui-icon-folder-collapsed"></span><a href="https://www.exploit-db.com/?path=/">..</a></td>
    </tr>
    <tr class="ui-state-default">
    <td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"="" 
    filesize="550"></td><td class="name"><span class="ui-icon ui-icon-document"></span>
    <a href="https://www.exploit-db.com/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>
    
    
    --- PoC Session Logs [GET] ---
    14:13:14.499[93ms][total 1294ms] Status: 200[OK]
    GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URILOAD_INITIAL_DOCUMENT_URI] Content Size[6608] Mime Type[application/x-unknown-content-type]
     Request Headers:
    Host[192.168.2.109]
    User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
    Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
    Accept-Language[en-US,en;q=0.5]
    Accept-Encoding[gzip, deflate]
    DNT[1]
    Referer[http://192.168.2.109/]
    Connection[keep-alive]
    Cache-Control[max-age=0]
     Response Headers:
    Accept-Ranges[bytes]
    Content-Length[6608]
    Date[Do., 23 Jan. 2014 13:20:09 GMT]
    
    
    14:13:14.612[33ms][total 33ms] Status: 200[OK]
    GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css]
     Request Headers:
    Host[192.168.2.109]
    User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
    Accept[text/css,*/*;q=0.1]
    Accept-Language[en-US,en;q=0.5]
    Accept-Encoding[gzip, deflate]
    DNT[1]
    Referer[http://192.168.2.109/?path=/Texts]
    Connection[keep-alive]
    Cache-Control[max-age=0]
     Response Headers:
    Accept-Ranges[bytes]
    Content-Length[22041]
    Content-Type[text/css]
    Date[Do., 23 Jan. 2014 13:20:09 GMT]
    
    
    
    1.2
    The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
    For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below.
    
    PoC: Upload Files - Filename
    
    <tr class="ui-state-default">
    <td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" filesize="723" type="checkbox"></td>
    <td class="name"><span class="ui-icon ui-icon-document"></span>
    <a href="https://www.exploit-db.com/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE VULNERABILITY VIA FILENAME]</a></td>
    <td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>
    
    
    1.3
    The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account.
    Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce 
    the local command inject vulnerability follow the provided steps and information below.
    
    
    PoC: Title - Header
    
    	<body>
    		<div class="visible-div">
    			<img src="https://www.exploit-db.com/rambax/server/SimplyShare-icon.png">
    			<div id="title">bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]</div>
    			<div id="header-links">
    
    1.4
    The persistent input validation web vulnerabilities can be exploited by remote attackers without privileged application user account but with 
    low or medium user interaction. For security demonstration or to reproduce the persistent vulnerabilities follow the provided steps and information below.
    
    PoC: Albums > name 
    
    <div id="albums">
    <ul class="column">
    <li><div class="block"><a href="https://www.exploit-db.com/rambax/album/0-x" 
    title="Camera Roll (137)"><img src="https://www.exploit-db.com/rambax/album_poster/0.jpg" class="photo"></a><span>Camera Roll (137)</span></div></li>
    <li><div class="block">
    <a href="https://www.exploit-db.com/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img src="https://www.exploit-db.com/rambax/album_poster/1.jpg" 
    class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT CODE!]> (1)</span></div></li>
    			</ul>
    		</div>
    
    
    Solution - Fix & Patch:
    =======================
    1.1
    The first vulnerability can be patched by a secure restriction and encode of the send text input field with the text value parameter.
    Ensure the output send text item list module only displays secure parsed, encoded and validated context.
    
    1.2
    The second vulnerability can be patched by a secure parse and encode of the file name value parameter in the Upload File POST method request.
    
    1.3
    The third vulnerability can be patched by encoding the header section with the title value parameter to prevent physical command injection attacks.
    
    1.4
    Encode the photo album and video names to prevent persistent script code injection attacks by local stored album components of the foto (photo) app.
    
    
    Security Risk:
    ==============
    1.1
    The security risk of the remote code exection vulnerability is estimated as critical.
    
    1.2
    The security risk of the local file include web vulnerability is estimated as high(+).
    
    1.3
    The security risk of the local command inject web vulnerability is estimated as high(-).
    
    1.4
    The security risk of the persistent script code inject web vulnerabilities via POST method request are estimated as medium.
    
    
    Credits & Authors:
    ==================
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
    
    
    Disclaimer & Information:
    =========================
    The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
    either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
    Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
    profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
    states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
    may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
    or trade with fraud/stolen material.
    
    Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 - www.evolution-sec.com
    Contact:admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	 - admin@evolution-sec.com
    Section:www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		 - magazine.vulnerability-db.com
    Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 - youtube.com/user/vulnerability0lab
    Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
    
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
    Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
    media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
    other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
    modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
    
    				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
    
    
    
    -- 
    VULNERABILITY LABORATORY RESEARCH TEAM
    DOMAIN: www.vulnerability-lab.com
    CONTACT: research@vulnerability-lab.com