Benjamin, What is an androidios device account? Is that a typo? And does the default "mobile/alpine" user account suffice?
It isn't clear to me whether the iOS device needs to be jailbroken for this exploit to work. The -- Douglas Held d...@douglasheld.net via dough...@gmail.com Note: Sent from a device that occasionally respells and replaces words > On 17 Jul 2015, at 10:08, fulldisclosure-requ...@seclists.org wrote: > > > Message: 8 > Date: Fri, 17 Jul 2015 15:04:22 +0200 > From: Vulnerability Lab <resea...@vulnerability-lab.com> > To: fulldisclosure@seclists.org > Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability > Message-ID: <55a8fd56.1060...@vulnerability-lab.com> > Content-Type: text/plain; charset=utf-8 > > Document Title: > =============== > UDID+ v2.5 iOS - Mail Command Inject Vulnerability > > > References (Source): > ==================== > http://www.vulnerability-lab.com/get_content.php?id=1542 > > > Release Date: > ============= > 2015-07-06 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 1542 > > > Common Vulnerability Scoring System: > ==================================== > 5.7 > > > Product & Service Introduction: > =============================== > UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and > other information of your iOS device. It works on iPod touches, > iPhones and iPads allows you to either email the UDID to someone, or to copy > it. The UDID is used by developers so they can add your device > to their Ad Hoc distribution profiles. This allows them to create a special > version of their apps that can be run on your device outside of > the normal App Store distribution channels. Ad Hoc distribution is perfect > for beta testing as well as for small in-house projects with an > limited distribution group, of up to 100 devices. > > (Copy of the Vendor Homepage: > https://itunes.apple.com/us/app/udid+/id385936840 ) > > > Abstract Advisory Information: > ============================== > The Vulnerability Laboratory Core Research Team discovered an > application-side command inject web vulnerability in the official UDID+ v2.5 > iOS mobile web-application. > > > Vulnerability Disclosure Timeline: > ================================== > 2015-07-06: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Affected Product(s): > ==================== > EMonster Inc. > Product: UDID+ - iOS Mobile Web Application 2.5 > > > Exploitation Technique: > ======================= > Local > > > Severity Level: > =============== > Medium > > > Technical Details & Description: > ================================ > A local command inject web vulnerability has been discovered in the official > UDID+ v2.5 iOS mobile web-application. > The vulnerability allows to inject malicious script codes to the > application-side of the vulnerable iOS mobile app. > > The vulnerability is located in the device name value of the send by mail > function. Local attackers are able to > manipulate the name value of the device to compromise the mail function of > the udid+ mobile app. The html encoding > is broken in the send by mail export function. Local attackers are able to > manipulate the device name id to compromise > the application internal validation via send by email. The attack vector of > the vulnerability is server-side and the > injection point is the device name information settings. > > The security risk of the local commandpath inject vulnerability is estimated > as medium with a cvss (common vulnerability > scoring system) count of 5.7. Exploitation of the commandpath inject > vulnerability requires a low privilege androidios > device account with restricted access and no user interaction. Successful > exploitation of the vulnerability results in > unauthorized execution of system specific commands and unauthorized path > value requests to compromise the mobile iOS > application and connected device components. > > Vulnerable Module(s) > [+] Device - Settings - Information > > Vulnerable Parameter(s) > [+] device cell name (cid) > > Affected Module(s) > [+] UDID+ - Mail > > > Proof of Concept (PoC): > ======================= > The application-side validation web vulnerability can be exploited by local > attackers with low privilege or restricted device user account and without > user interaction. > For security demonstration or to reproduce the vulnerability follow the > provided information and steps below to continue. > > PoC: UDID+ Send Mail > > <html><head><title>UDID+</title> > <link rel="important stylesheet" > href="chrome://messagebody/skin/messageBody.css"> > </head><body> > <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"> > <tr><td><b>Betreff: </b>UDID+</td></tr><tr><td><b>Von: </b>Benjamin Mejri > Kunz <vulnerability...@icloud.com></td></tr> > <tr><td><b>Datum: </b>28.06.2015 20:49</td></tr></table><table border=0 > cellspacing=0 cellpadding=0 width="100%" class="header-part2"> > <tr><td><b>An: </b>aki <b...@evolution-sec.com></td></tr></table><br> > <html><head><meta http-equiv="content-type" content="text/html; > "></head><body dir="auto"><div>Here is my device information.<br><br> > <b>UDID:</b> FFFFFFFFC63FF684821B430C91F7F41D4D8A2F3A<br> > <b>Device Name:</b> bkm337>" src="cid:">%20<./[LOCAL FILE INCLUDE > VULNERABILITY VIA DEVICE CELL NAME VALUE!] > <b>System Name:</b> iPhone OS<br /> > <b>System Version:</b> 8.3<br /> > <b>Platform:</b> iPad 3G WiFi<br /> > <b>Hardware Model:</b> P101AP<br /> > <b>Processors:</b> 2<br /> > <b>CPU Frequency:</b> 0 Hz<br /> > <b>Bus Frequency:</b> 0 Hz<br /> > <b>Physical Memory:</b> 1 GB<br /> > <b>Non-Kernel Memory:</b> 809,21 MB<br /> > <b>Model:</b> iPad<br /> > <b>Localized Model:</b> iPad<br /> > <b>Language:</b> de<br /> > <b>Locale:</b> de_DE<br /> > <b>Capacity:</b> 32 GB<br /> > <b>Formatted:</b> 27,19 GB<br /> > <b>Used:</b> 26,38 GB<br /> > <b>Free:</b> 825,48 MB<br /> > <b>Battery State:</b> Unplugged<br /> > <b>Battery Level:</b> 65 %<br /> > <b>Local IP:</b> 192.168.2.104<br /> > <b>MAC Address:</b> 02:00:00:00:00:00<br /> > <br /> > <a href="<a > href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=385936840";>http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware > ?id=385936840</a>">Download</a> UDID+ for iPod touch, iPhone, iPad and iPad > mini.<br /> > <br /> > This email was sent using UDID+ version 2.5 by emonster k.k.<br /> > For more information please visit our website <a href='<a > href="http://www.emonster.com/'">http://www.emonster.com/'</a>> > <a href="http://www.emonster.com";>www.emonster.com</a></a><br > /></iframe></div><div></div></body></html> > </body> > </html> > > > Solution - Fix & Patch: > ======================= > The vulnerability can be patched by a secure parse and encode of the > vulnerable device cell name output value. > Restrict the input and disallow usage of special chars next to sending the > data by mail to the own account. > > > Security Risk: > ============== > The security risk of the local command inject web vulnerability in the UDID+ > app is estimated as medium. (CVSS 5.7) > > > Credits & Authors: > ================== > Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri > (b...@evolution-sec.com) [www.vulnerability-lab.com] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
