iThought App Multiple Vulnerabilities

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Authors: James Davis <james.p.davis () outlook com>, Justin C. Klein Keane

Description of Vulnerability
- ----------------------------
iThoughtsHD brings mind mapping to the iPad. Based on the award
winning iThoughts for iPhone, iThoughtsHD has been designed
specifically for the iPad. iThoughtsHD will import and export mindmaps
to and from many of the most popular desktop mindmap applications such
as MyThoughts, Freemind, Freeplane, XMind, Novamind, MindManager,
MindView, ConceptDraw MINDMAP, MindGenius and iMindmap.
(http://www.ithoughts.co.uk)

iThoughtsHD contains a cross site scripting (XSS or arbitrary script
injection) vulnerability (CVE-2014-1826) because it fails to sanitize
the map names before display, specifically when using the WiFi browser
transfer feature.

iThoughtsHD contains a null byte injection (arbitrary file upload)
vulnerability (CVE-2014-1827) because it fails to sanitize file names
being uploaded through the web interface when the iThoughts web server
is turned on.

iThoughtsHD contains a denial if service vulnerability (CVE-2014-1828)
because it fails to limit the the size of the file when uploading
through the browser to the iThoughts web server. This could allow a
malicious user to fill up all available storage space on a device.

Systems affected
- ----------------
iThoughtsHD 4.19 was tested and shown to be vulnerable

Impact
- ------
Attackers can misuse the application through the web server by
performing an arbitrary script injection (XSS) attacks. Arbitrary
script injection could allow an attacker to execute malicious
JavaScript on browsers viewing the WiFi sharing files. Using the null
byte injection vulnerability will be able to upload files of any type
to the iThoughts web server, which bypasses the filters used to limit
what file types can be uploaded. The denial of service vulnerability
can be used to upload files of any size which could fill up device
storage preventing further uploads.

Mitigating factors
- ------------------
The iThoughts web server (wifi sharing) must be turned on for these
vulnerabilities to be exposed.  Wifi sharing spawns a web server on a
predictable port.

Proof of Concept
- ----------------
XSS Vulnerability:

1.  Install the iThoughtsHD app on your iPad
2.  Click the plus sign on the top bar to create a new app
3.  To perform a XSS attack upload a file with the name <iframe
src=javascript:alert('xss')>
4.  Once the map is created, click the sharing button on the top bar
in app and select "WiFi Transfer"
5.  This will turn on the iThoughts web server
6.  A link will then appear that you can enter into your computer browser
7.  Once you navigate to the page you will see a popup containing xss

Null Byte Injection and Arbitrary File Upload Vulnerability:

1.  Install the iThoughtsHD app on your iPad
2.  Click the sharing button on the top bar in the app and select
"WiFi Transfer"
3.  This will turn on the iThoughts web server
4.  A link will then appear that you can enter into your computer browser
5.  On your desktop create a file to perform the attack newmap.html%00.txt
6.  Once the file is created navigate to the iThoughts web server
7.  Click "Browse" and select the file you just created and upload it
to the web server
8.  A new map will then appear with the name newmap.html

CVE
- ---
The CVE identifiers CVE-2014-1826, CVE-2014-1827, CVE-2014-1828 have
been assigned to the issues detailed in this report.

Timeline
- --------
Vendor acknowledged receipt on 24 January 2014.  Subsequent contacts
were unresponsive or no fix timeline was proposed.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net
This report published at http://www.madirish.net/559

The digital signature on this e-mail may be verified using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iPwEAQECAAYFAlMyvN8ACgkQkSlsbLsN1gDpdgb+OxbVHAC3f71I78+doYYidON9
jzfyXxI7GIhU71fe13nkGjdfXwYLwtEcgETeLRfns5gRhPufzbCS0Sl6z9iQH4NJ
Yc+dT9yPAwOZuRKvpsifSzDvHn9wyD7L1DN6z5ibnfGq1O2ngUCKrb+hZjzyBET9
NnGKZeM6EqbPRk0NGV9o5Pja0aWXe4SwQA6814u1w9UX5RA1Tx5Sr1G4tzcta4B9
f6fYzkn36mzkbx25tBObiyC/FCb8WUKvRgtpeERelVUl4MxImATMmm9NcKm8zr0+
NCDCKtIOVnqsPz+zV5A=
=avDU
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/