Full Disclosure mailing list archives
Directory traversal in Eye-Fi Helper < 3.4.23
From: Paul Johnston <paul.johnston () pentest co uk>
Date: Fri, 04 Jan 2013 13:29:38 +0000
Directory traversal in Eye-Fi Helper < 3.4.23 ============================================= Author: Paul Johnston, paul.johnston () pentest co uk Company: Pentest Ltd, http://www.pentest.co.uk/ Date: 3 Jan 2013 URL: http://www.pentest.co.uk/documents/ptl-2013-01.html Software: Eye-Fi Helper < 3.4.23 Vendor: http://www.eye.fi/ CVE: CVE-2011-4696 Overview -------- An Eye-Fi card is a SD card with integrated WiFi, which can automatically transfer photos to a computer over a wireless network. The Eye-Fi Helper software runs on a Windows computer and receives the images. Pentest have identified a security vulnerabilitiy in this software that makes it possible for a hacker to take control of the Windows computer. The hacker does need access to the wireless network to exploit this, so the attack is relevant in a scenario like a cafe, where the network is shared. The protocol has additional protection when used with an open hotspot, which has not been investigated. Correct operation of the Eye-Fi card requires the user to allow the port through their firewall. However, the exploit only works by tampering with a legitimate connection; the software cannot be attacked when not in active use. Technical details ----------------- When the card sends an image to the helper, it actually sends a tar file that contains the image, and some optional supplemental information, such as geolocation data. The card passes a "filesignature" to the helper, which saves the tar file in a location like: C:\Documents and Settings\<user>\Local Settings\Application Data\Eye-Fi\ spool\delivery\<mac address>\<filesignature> However, the file signature is not checked for special characters, so it can be set to something like: ../../../../../../Start Menu/Programs/Startup/payload.exe Which will write it to: C:\Documents and Settings\<user>\Start Menu\Programs\Startup\payload.exe In this case, the next time the computer is started, the payload will be executed. To successfully exploit this relies on some other weaknesses in the protocol that the card and helper use to communicate. These weaknesses make it possible to perform a man-in-the-middle attack, and to tamper with the content of files. However, given the expected usage of the software, these weaknesses seem acceptable. Exploit ------- We have produced a video demonstration of the exploit in action: https://www.youtube.com/watch?v=vnBQCt7-f6k The exploit script uses some interesting techniques, and is available on our web site: http://www.pentest.co.uk/documents/eyepwn.zip Solution -------- Eye-Fi have released an update to Eye-Fi Helper (version 3.4.23), which includes the fix. The release notes mention security improvements, but do not explicitly state that the update fixes a security flaw. Beta version 3.4.18a also includes the fix - this information may be particularly useful to scanning vendors. -- Pentest - The Application Security Specialists Paul Johnston - IT Security Consultant / Tiger SST PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Directory traversal in Eye-Fi Helper < 3.4.23 Paul Johnston (Jan 04)