BugTraq
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities Dec 11 2013 02:14PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1166

Release Date:
=============
2013-12-10

Vulnerability Laboratory ID (VL-ID):
====================================
1166

Common Vulnerability Scoring System:
====================================
8.8

Product & Service Introduction:
===============================
Download the photos & videos from your iPhones Library to computer / PC;Upload photos & videos from your computer;
Transfer photos in full resolution in *.png, *.jpg, *.zip formats;No limit of the number, size or quality of the
transferred photos;Photo Video Album Transfer is a multifunctional and easy-to-use app. It allows to transfer
photos and videos from iPhone to iPhone, from iPhone to computer and reverse. Now you can easily manage your
photo or video transfer and forget about cables, additional hardware and expensive programs. Transfer any number
of photos and videos using this irreplaceable application for iPhone.

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-video-album-transfer/id682294794 )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.

Vulnerability Disclosure Timeline:
==================================
2013-12-09: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Apple AppStore
Product: Photo Video Album Transfer - Mobile Application (Igor Ciobanu) 1.0

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Critical

Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The remote file include web vulnerability is located in the vulnerable filename value of the iOS Transfer Utility (web interface) module.
Remote attackers can manipulate the filename value in the POST method request of the browse file upload form to cpmpromise the mobile app.
Remote attackers are able to include own local files by usage of the browse file upload module. The attack vecotor is persistent and the
request method is POST. The file include execute occcurs in the main file dir index list were the filenames are visible listed. The security
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).

Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.

Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)

1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.

The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by renaming the file with
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is
estimated as high with a cvss (common vulnerability scoring system) count of 6.7(+).

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] Browse File Upload - File send & arrival (web interface)

Vulnerable Parameter(s):
[+] filename (multiple extensions)

Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)

Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability in the file name can be exploited by remote attackers without user interaction or privileged mobile
web-application user account. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

Module: Upload
Input: Browse File
Method: POST

Manual stepst to reproduce the vulnerability ...

1. Install and start the vulnerable mobile application
2. Open the web-server wifi transfer (localhost:8080)
Note: Start to tamper the browser (http) request and response session of the next POST Request
3. Click the browse file to upload button and choose a random file of your local hd
4. Change in the POST method request of the upload the filename value and inject your own webshell, remote- or local file
5. The execute after the inject occurs in the main index file dir listing of the iOS Transfer Utility
6. Successful reproduce of the remote vulnerability!

PoC: Index File Dir List - iOS Transfer Utulity (filename)

<input name="file[]" accept="image/jpeg, image/png, video/quicktime, video/x-msvideo, video/x-m4v,
video/mp4" multiple="" type="file"></label><label><input name="button" id="button" value="Submit" type="submit"></label></form><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br></td></tr>
<tr><td> <%20../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]"></td><td> 0.1 Kb</td><td>08.12.2013 15:58</td></tr>
<tr style='height: 180px;'><td style="text-align: center;" > <a href="IMG_0556_th.png"><img src="IMG_0556_th.png"
height="110px" style="max-width: 110px"><br>IMG_0556_th.png</a><br> 2.9 Kb</td>
</table>
<input type="hidden" value="numberOfAvailableFiles=IMG_0556_th.png,endOFF"/><br>
</div>
</body></html></iframe></td></tr></tbody></table></div></body></html>

--- PoC Session Request Logs ---
Status: 200[OK]
POST http://192.168.2.106:8080/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[59002] Mime Type[application/x-unknown-content-type]

Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]

Post Data:
POST_DATA[-----------------------------1863134445217
Content-Disposition: form-data; name="file[]"; filename="<../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]>"
Content-Type: image/png

Status: 200 OK
GET http://192.168.2.106:8080/a Load Flags[LOAD_DOCUMENT_URI ]
Content Size[0] Mime Type[application/x-unknown-content-type]

Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]

Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[So., 08 Dez. 2013 14:58:35 GMT]

1.2
The arbitrary file upload and restricted upload bypass vulnerability can be exploited by remote attackers without privileged web-application
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

PoC:

<body><div class="header" id="header">
</div>
<div class="container" id="container"><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3"> <a href=".."><b> Refresh</b></a><br><br>
</td></tr><tr style="height: 180px;">
<td style="text-align: center;"> <a href="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]">
<img src="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]>"
style="max-width: 110px" height="110px"><br><iframe src="a"></a><br> 0.1 Kb</td>
<td style="text-align: center;" > <a href="IMG_0441.MOV"><img src="IMG_0441_th.png" height="110px" style="max-width: 110px">
<br>IMG_0441.MOV</a><br>657665.1 Kb</td>
</table>

--- PoC Session Logs ---

Status: 200[OK]
GET http://192.168.2.106:8080/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[58702] Mime Type[application/x-unknown-content-type]

Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]

Response Headers:
Accept-Ranges[bytes]
Content-Length[58702]
Date[So., 08 Dez. 2013 15:34:33 GMT]
16:30:12.476[313ms][total 313ms]

Status: 200[OK]
GET http://192.168.2.106:8080/file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]
Load Flags[VALIDATE_ALWAYS ]
Content Size[124] Mime Type[:image/jpeg]

Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5;
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]

Response Headers:
Content-Disposition[:attachment; filename="file.jpg.gif.js.html.php.gif.jpg"]
Content-Length[124]
Accept-Ranges[bytes]
Content-Type[:image/jpeg]
Date[So., 08 Dez. 2013 15:34:33 GMT]

Reference(s):
http://localhost:8080/

Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure filter mechanism and exception-handlign to prevent code execution via
filename value.

1.2
Restrict and filter the filename input value in the upload POST method request to ensure the right format is attached.
Restrict the image file access right to view only ;)

Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical because of the location in the main filename value.

1.2
The security risk of the arbitrary file upload web vulnerability and restricted upload bypass bug is estimated high.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2013 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus