Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SeasonApps iTransfer 1.1 - Persistent UI Vulnerability

From: Vulnerability Lab <research () vulnerability-lab com>
Date: Fri, 07 Nov 2014 14:30:23 +0100
Document Title:
===============
SeasonApps iTransfer 1.1 - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1347


Release Date:
=============
2014-10-27


Vulnerability Laboratory ID (VL-ID):
====================================
1347


Common Vulnerability Scoring System:
====================================
2.5


Product & Service Introduction:
===============================
Do you want to access your PhotoLibrary`s file on the website? Do you want to transfer files from PC to iDevice easily 
and 
read or send them every where? So the iTransfer will give all these to you.

1. You can get all photos and videos in the Photo Library of your device.
2. Wifi Sharing! These make our life more easy, Isn`t it?
3.A file box for you that you can store and get files on the document dictionary of the App. also you can manage the 
files via Wifi Sharing !
4. Supper File Manager, you can open files with document format as pdf,doc,ppt,txt,rtf,png,jpg… and media format as 
mp3,mp4 and so on.
5.Zip and Unzip which will make you manage your local files early.
6.You can share the files to your friend with email.
7. You can access the files on this app via USB and iTunes.
8.Support for iOS7
9.Add upload feature to Library sharing, you can upload image to your photo library now.
10.Add file manage feature to the Local Sharing, just like create dictionary and delete files(dictionary)
11.Add Authentication feature to he sharing feature, you can safe browse your sharing right now!
12.Add feedback feature, please give us your advice or your bug to us. thanks! 

(Copy of the Homepage: https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official 
iTransferPro v1.1 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SeasonApps iTransfer
Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official SeasonApps iTransferPro v1.1 
iOS mobile application.
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the 
vulnerable service function or module.

The vulnerability is located in the albumname value. Local attackers with low privileged device user accounts are able 
to manipulate the albumname 
values by usage of the wifi sync function in the `Share Photo Library` module. The attack vector is persistent on the 
application-side and the request 
method to inject is a app sync. The issue allows to stream persistent malicious script codes to the front site of the 
wifi photo library interface.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability 
scoring system) count of 2.5.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low 
or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent 
external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Request Method(s):
                                        [+] Sync

Vulnerable Module(s):
                                        [+] Share Photo Library

Vulnerable Parameter(s):
                                        [+] items - group (albumname)

Affected Module(s):
                                        [+] Wifi Interface - Share Photo Library Index (http://localhost:8888/)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with low privileged device user 
account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

PoC: Wifi Interface - Share Photo Library Index (http://localhost:8888/)

<html><head><meta name="viewport" content="width=device-width, initial-scale=1.0" 
http-equiv="Content-Type"><title>iTransfer</title><style>html 
{background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; 
font-size:18x; margin-left:5%; 
margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h2>Enjoy  iTransfer</h2>
<bq>You Can Access Files of your Photo Library Now :)</bq><script type="text/javascript" src="/jquery.js"></script>     
    
<script type="text/javascript" src="/fileuploader.js"></script>         <link href="fileuploader.css" rel="stylesheet" 
type="text/css"><p></p><div id="file-uploader-div"><div class="qq-uploader"><div style="display: none;" 
class="qq-upload-drop-area">
<span>drop files here to upload</span></div><div style="position: relative; overflow: hidden; direction: ltr;" 
class="qq-upload-button">upload a file
<input style="position: absolute; right: 0px; top: 0px; font-family: Arial; font-size: 118px; margin: 0px; padding: 
0px; cursor: pointer; opacity: 0;" 
name="file" multiple="multiple" type="file"></div><ul class="qq-upload-list"></ul></div></div><p></p><script 
language="javascript">                             
$(function(){                               var uploader = new qq.FileUploader({                               
element:document.getElementById("file-uploader-div"),                              
 action: "/",                               
debug: false,                               
allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"],                               
template: '<div class="qq-uploader">' +                                
'<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' +                               
'<div class="qq-upload-button">upload a file</div>' +                               
'<ul class="qq-upload-list"></ul>' +                                '</div>',                               });         
                      });
</script><br><label color="red"><font size="2" color="red">(Notice: The pictures you upload will appear when you share 
the photo library next time)</font></label>
<br><link href="/bootstrap.css" rel="stylesheet">         <script src="/bootstrap.min.js"></script><h3>All 
Groups</h3><ul class="thumbnails"><li class="span2">
<div class="thumbnail" style="text-align: center;">
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
<img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150">
<span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE EXECUTION!] 1items</span></a></div>
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a></li><li class="span2"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><div class="thumbnail" style="text-align: center;"><a target="_blank" 
href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
<img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150">
<span stype="white-space: nowrap;">Photos 3items</span>
</a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
</a></li></ul></body></html>


Reference(s):
http://localhost:8888/
http://localhost:8888/group/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the foldername/albumname input fields.
Encode the input and parse the output of the name values in the wifi interface to prevent persistent script code 
executions.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the wifi interface is estimated as 
medium(-). (CVSS 2.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
Previous By Date Next
Previous By Thread Next

Current thread: