Full Disclosure mailing list archives
iThought App Multiple Vulnerabilities
From: Justin Klein Keane <justin () madirish net>
Date: Wed, 26 Mar 2014 07:41:19 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Authors: James Davis <james.p.davis () outlook com>, Justin C. Klein Keane Description of Vulnerability - ---------------------------- iThoughtsHD brings mind mapping to the iPad. Based on the award winning iThoughts for iPhone, iThoughtsHD has been designed specifically for the iPad. iThoughtsHD will import and export mindmaps to and from many of the most popular desktop mindmap applications such as MyThoughts, Freemind, Freeplane, XMind, Novamind, MindManager, MindView, ConceptDraw MINDMAP, MindGenius and iMindmap. (http://www.ithoughts.co.uk) iThoughtsHD contains a cross site scripting (XSS or arbitrary script injection) vulnerability (CVE-2014-1826) because it fails to sanitize the map names before display, specifically when using the WiFi browser transfer feature. iThoughtsHD contains a null byte injection (arbitrary file upload) vulnerability (CVE-2014-1827) because it fails to sanitize file names being uploaded through the web interface when the iThoughts web server is turned on. iThoughtsHD contains a denial if service vulnerability (CVE-2014-1828) because it fails to limit the the size of the file when uploading through the browser to the iThoughts web server. This could allow a malicious user to fill up all available storage space on a device. Systems affected - ---------------- iThoughtsHD 4.19 was tested and shown to be vulnerable Impact - ------ Attackers can misuse the application through the web server by performing an arbitrary script injection (XSS) attacks. Arbitrary script injection could allow an attacker to execute malicious JavaScript on browsers viewing the WiFi sharing files. Using the null byte injection vulnerability will be able to upload files of any type to the iThoughts web server, which bypasses the filters used to limit what file types can be uploaded. The denial of service vulnerability can be used to upload files of any size which could fill up device storage preventing further uploads. Mitigating factors - ------------------ The iThoughts web server (wifi sharing) must be turned on for these vulnerabilities to be exposed. Wifi sharing spawns a web server on a predictable port. Proof of Concept - ---------------- XSS Vulnerability: 1. Install the iThoughtsHD app on your iPad 2. Click the plus sign on the top bar to create a new app 3. To perform a XSS attack upload a file with the name <iframe src=javascript:alert('xss')> 4. Once the map is created, click the sharing button on the top bar in app and select "WiFi Transfer" 5. This will turn on the iThoughts web server 6. A link will then appear that you can enter into your computer browser 7. Once you navigate to the page you will see a popup containing xss Null Byte Injection and Arbitrary File Upload Vulnerability: 1. Install the iThoughtsHD app on your iPad 2. Click the sharing button on the top bar in the app and select "WiFi Transfer" 3. This will turn on the iThoughts web server 4. A link will then appear that you can enter into your computer browser 5. On your desktop create a file to perform the attack newmap.html%00.txt 6. Once the file is created navigate to the iThoughts web server 7. Click "Browse" and select the file you just created and upload it to the web server 8. A new map will then appear with the name newmap.html CVE - --- The CVE identifiers CVE-2014-1826, CVE-2014-1827, CVE-2014-1828 have been assigned to the issues detailed in this report. Timeline - -------- Vendor acknowledged receipt on 24 January 2014. Subsequent contacts were unresponsive or no fix timeline was proposed. - -- Justin C. Klein Keane http://www.MadIrish.net This report published at http://www.madirish.net/559 The digital signature on this e-mail may be verified using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iPwEAQECAAYFAlMyvN8ACgkQkSlsbLsN1gDpdgb+OxbVHAC3f71I78+doYYidON9 jzfyXxI7GIhU71fe13nkGjdfXwYLwtEcgETeLRfns5gRhPufzbCS0Sl6z9iQH4NJ Yc+dT9yPAwOZuRKvpsifSzDvHn9wyD7L1DN6z5ibnfGq1O2ngUCKrb+hZjzyBET9 NnGKZeM6EqbPRk0NGV9o5Pja0aWXe4SwQA6814u1w9UX5RA1Tx5Sr1G4tzcta4B9 f6fYzkn36mzkbx25tBObiyC/FCb8WUKvRgtpeERelVUl4MxImATMmm9NcKm8zr0+ NCDCKtIOVnqsPz+zV5A= =avDU -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- iThought App Multiple Vulnerabilities Justin Klein Keane (Mar 26)