UDID+ v2.5 iOS - Mail Command Inject Vulnerability

[Douglas Held <dougheld () gmail com>]

Benjamin,

What is an androidios device account? Is that a typo? And does the default "mobile/alpine" user account suffice?

It isn't clear to me whether the iOS device needs to be jailbroken for this exploit to work. The 

--
Douglas Held
doug () douglasheld net via dougheld () gmail com
Note: Sent from a device that occasionally respells and replaces words

> On 17 Jul 2015, at 10:08, fulldisclosure-request () seclists org wrote:
>
>
> Message: 8
> Date: Fri, 17 Jul 2015 15:04:22 +0200
> From: Vulnerability Lab <research () vulnerability-lab com>
> To: fulldisclosure () seclists org
> Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
> Message-ID: <55A8FD56.1060202 () vulnerability-lab com>
> Content-Type: text/plain; charset=utf-8
>
> Document Title:
> ===============
> UDID+ v2.5 iOS - Mail Command Inject Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1542
>
>
> Release Date:
> =============
> 2015-07-06
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1542
>
>
> Common Vulnerability Scoring System:
> ====================================
> 5.7
>
>
> Product & Service Introduction:
> ===============================
> UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and other information of your iOS device. It 
> works on iPod touches, 
> iPhones and iPads allows you to either email the UDID to someone, or to copy it. The UDID is used by developers so 
> they can add your device 
> to their Ad Hoc distribution profiles. This allows them to create a special version of their apps that can be run on 
> your device outside of 
> the normal App Store distribution channels. Ad Hoc distribution is perfect for beta testing as well as for small 
> in-house projects with an 
> limited distribution group, of up to 100 devices.
>
> (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/udid+/id385936840 )
>
>
> Abstract Advisory Information:
> ==============================
> The Vulnerability Laboratory Core Research Team discovered an application-side command inject web vulnerability in 
> the official UDID+ v2.5 iOS mobile web-application.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-07-06:    Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> EMonster Inc.
> Product: UDID+ - iOS Mobile Web Application 2.5
>
>
> Exploitation Technique:
> =======================
> Local
>
>
> Severity Level:
> ===============
> Medium
>
>
> Technical Details & Description:
> ================================
> A local command inject web vulnerability has been discovered in the official UDID+ v2.5 iOS mobile web-application.
> The vulnerability allows to inject malicious script codes to the application-side of the vulnerable iOS mobile app.
>
> The vulnerability is located in the device name value of the send by mail function. Local attackers are able to 
> manipulate the name value of the device to compromise the mail function of the udid+ mobile app. The html encoding 
> is broken in the send by mail export function. Local attackers are able to manipulate the device name id to 
> compromise 
> the application internal validation via send by email. The attack vector of the vulnerability is server-side and the 
> injection point is the device name information settings.
>
> The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common 
> vulnerability 
> scoring system) count of 5.7. Exploitation of the commandpath inject vulnerability requires a low privilege 
> androidios 
> device account with restricted access and no user interaction. Successful exploitation of the vulnerability results 
> in 
> unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS 
> application and connected device components.
>
> Vulnerable Module(s)
>                [+] Device - Settings - Information
>
> Vulnerable Parameter(s)
>                [+] device cell name (cid)
>
> Affected Module(s)
>                [+] UDID+ - Mail
>
>
> Proof of Concept (PoC):
> =======================
> The application-side validation web vulnerability can be exploited by local attackers with low privilege or 
> restricted device user account and without user interaction.
> For security demonstration or to reproduce the vulnerability follow the provided information and steps below to 
> continue.
>
> PoC: UDID+ Send Mail
>
> <html><head><title>UDID+</title>
> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
> </head><body>
> <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1">
> <tr><td><b>Betreff: </b>UDID+</td></tr><tr><td><b>Von: </b>Benjamin Mejri Kunz <vulnerabilitylab () icloud 
> com></td></tr>
> <tr><td><b>Datum: </b>28.06.2015 20:49</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" 
> class="header-part2">
> <tr><td><b>An: </b>aki <bkm () evolution-sec com></td></tr></table><br>
> <html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div>Here is my device 
> information.<br><br>
> <b>UDID:</b> FFFFFFFFC63FF684821B430C91F7F41D4D8A2F3A<br>
> <b>Device Name:</b> bkm337>" src="cid:">%20<./[LOCAL FILE INCLUDE VULNERABILITY VIA DEVICE CELL NAME VALUE!]
> <b>System Name:</b> iPhone OS<br />
> <b>System Version:</b> 8.3<br />
> <b>Platform:</b> iPad 3G WiFi<br />
> <b>Hardware Model:</b> P101AP<br />
> <b>Processors:</b> 2<br />
> <b>CPU Frequency:</b> 0 Hz<br />
> <b>Bus Frequency:</b> 0 Hz<br />
> <b>Physical Memory:</b> 1 GB<br />
> <b>Non-Kernel Memory:</b> 809,21 MB<br />
> <b>Model:</b> iPad<br />
> <b>Localized Model:</b> iPad<br />
> <b>Language:</b> de<br />
> <b>Locale:</b> de_DE<br />
> <b>Capacity:</b> 32 GB<br />
> <b>Formatted:</b> 27,19 GB<br />
> <b>Used:</b> 26,38 GB<br />
> <b>Free:</b> 825,48 MB<br />
> <b>Battery State:</b> Unplugged<br />
> <b>Battery Level:</b> 65 %<br />
> <b>Local IP:</b> 192.168.2.104<br />
> <b>MAC Address:</b> 02:00:00:00:00:00<br />
> <br />
> <a href="<a 
> href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=385936840";>http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware
> ?id=385936840</a>">Download</a> UDID+ for iPod touch, iPhone, iPad and iPad mini.<br />
> <br />
> This email was sent using UDID+ version 2.5 by emonster k.k.<br />
> For more information please visit our website <a href='<a 
> href="http://www.emonster.com/'";>http://www.emonster.com/&apos;</a>>
> <a href="http://www.emonster.com";>www.emonster.com</a></a><br /></iframe></div><div></div></body></html>
> </body>
> </html>
>
>
> Solution - Fix & Patch:
> =======================
> The vulnerability can be patched by a secure parse and encode of the vulnerable device cell name output value.
> Restrict the input and disallow usage of special chars next to sending the data by mail to the own account.
>
>
> Security Risk:
> ==============
> The security risk of the local command inject web vulnerability in the UDID+ app is estimated as medium. (CVSS 5.7)
>
>
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/