Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability

2015-09-22 Thread Vulnerability Lab 
Document Title:
===
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability


References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1597


Release Date:
=
2015-09-21


Vulnerability Laboratory ID (VL-ID):

1597


Common Vulnerability Scoring System:

8.7


Product & Service Introduction:
===
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files 
and photos over network, no USB cable or extra software required.

(Copy of the Vendor Homepage: 
https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )


Abstract Advisory Information:
==
The Vulnerability Laboratory Research Team discovered an arbitrary file upload 
web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile 
web-application.


Vulnerability Disclosure Timeline:
==
2015-09-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Affected Product(s):

Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4


Exploitation Technique:
===
Remote


Severity Level:
===
High


Technical Details & Description:

An arbitrary file upload web vulnerability has been discovered in the official 
Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to 
unauthorized include local file/path requests 
or system specific path commands to compromise the mobile web-application.

The web vulnerability is located in the `filename` value of the `Upload` 
module. Remote attackers are able to inject own files with 
malicious `filename` values in the `Upload` POST method request to compromise 
the mobile web-application. The local file/path include 
execution occcurs in the index file dir listing and sub folders of the wifi 
interface. The attacker is able to inject the lfi payload 
by usage of the wifi interface or local file sync function. 

Attackers are also able to exploit the filename issue in combination with 
persistent injected script code to execute different malicious 
attack requests. The attack vector is located on the application-side of the 
wifi service and the request method to inject is POST. 

The security risk of the local file include vulnerability is estimated as high 
with a cvss (common vulnerability scoring system) count of 8.7. 
Exploitation of the arbitrary file upload web vulnerability requires no user 
interaction or privilege web-application user account. 
Successful exploitation of the arbitrary file upload vulnerability results in 
mobile application compromise or connected device component compromise.

Request Method(s):
[+] [POST]

Vulnerable Module(s):
[+] Upload

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Index File Dir Listing 
(http://localhost:8000/)


Proof of Concept (PoC):
===
The arbitrary file upload web vulnerability can be exploited by remote attacker 
without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD 
VULNERABILITY VIA FILENAME!]%20src=a%3E2.png


PoC: Source (Upload File)
...68-2.png24,27KB2015-09-11 13:13:25Delete2.png538,00B2015-09-11 
13:17:21Delete


--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI 
 LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:8000:8000]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 
Firefox/40.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip, deflate]
  Referer[http://localhost:8000/index_files.html]
   POST-Daten:
  POST_DATA[-52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="
2.png"
Content-Type: image/png

Status: 200[OK] 
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load 
Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
  Host[localhost:8000]
  User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 
Firefox/40.0]
  Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
  Accept-Language[de,en-US;q=0.7,en;q=0.3]
  Accept-Encoding[gzip,

Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability

2013-07-10 Thread Vulnerability Lab 
Title:
==
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability


Date:
=
2013-07-09


References:
===
http://www.vulnerability-lab.com/get_content.php?id=1000


VL-ID:
=
1000


Common Vulnerability Scoring System:

6.7


Introduction:
=
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files 
and photos over network, no USB cable or 
extra software required. Features ...

[Server] function
Easily access your files from any web browser.
Easily upload and download your photo from photo libraries via web browser.

[My Files] function
Preview/Move/Copy/Delete/Unzip/Rename/Email file and Create new directory on 
your iPhone, iPod touch  iPad.

Image: png, jpg, gif
Document: Word, PowerPoint, Excel, PDF
Compressed: zip
Text-base: txt, html, php, js, css
Media: mp3, wav, mp4, mov

Save Word, PowerPoint, Excel and PDF files from other apps to Air Drive, 
include Apple’s Email app and Safari.
Open All types of file from Air Drive to other apps such as Dropbox.

[Settings] function
Add Password to prevent unauthorized access to your files.
Customize the Server port and Real-time On/Off the sharing functions and takes 
effect immediately to restrict the access from web browser

(Copy of the Homepage: 
https://itunes.apple.com/de/app/air-drive-plus-your-file-manager/id422806570 )


Abstract:
=
The Vulnerability Laboratory Research Team discovered a remote file include 
vulnerability in the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone).


Report-Timeline:

2013-07-09:Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Apple AppStore
Product: Air Drive Plus 2.4


Exploitation-Technique:
===
Remote


Severity:
=
High


Details:

A local file include and arbitrary file upload web vulnerability is detected in 
the Air Drive Plus 2.4 application (Apple iOS - iPadiPhone).
The vulnerability allows remote attackers to upload files via POST method with 
multiple extensions to unauthorized access them on 
application-side of the service.

The vulnerability is located in the file upload/add (AirDriveAction_file_add) 
module of the web-server (http://localhost:8000/) when processing 
to request a manipulated filename via POST. The injected file will be 
accessable via the index listing module of the application.  

Remote attackers can exchange the filename with a double or tripple extension 
bia POST method to bypass the upload validation and filter process. 
After the upload the attacker access the file with one extension and exchange 
it with the other one to execute for example php codes.

A persistent script code injection is detected in the filename parameter. 
Attackers can tamper the request and exchange the file name with 
persistent malicious script code or tags. The code will be executed in the main 
index site when processing to list the object (file) items.
Attackers are also able to inject persistent code with local frame requests to 
unauthorized access application data/apps or restricted 
application information. The execution of the persistent code also occurs when 
an application user is processing to delete the malicious context. 
The injected code is stored and will be executed from the delete notification 
and protection message.

Exploitation of the vulnerability requires no user interaction and also without 
privilege application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or 
file access via local file include or arbitrary file upload.

Vulnerable Application(s):
[+] Air Drive Plus 2.4 - ITunes or AppStore 
(Apple)

Vulnerable Module(s):
[+] File Upload  (Web Server) [Remote]

Vulnerable File(s):
[+] AirDriveAction_file_add

Vulnerable Parameter(s):
[+] filename

Affected Module(s):
[+] Application Index Listing 
(http://localhost:8000/)


Proof of Concept:
=
The arbitrary file upload vulnerability can be exploited by remote attackers 
without privileged application user account and 
also without user interaction. For demonstration or reproduce ...

1.1
trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px 
width=20px/tdtda target=_blank 
href=http://192.168.2.104:8000/AirDriveAction_file_show/;/private/var/mobile/Applications;;/private/var/mobile/Applications//a/td
td27,27KB/tdtd align=center2013-07-08 23:07:52/tdtd align=center
a onclick=javascript:delfile(/private/var/mobile/Applications); 
class=transparent_buttonDelete/a/td/tr

1.2
trtdimg src=Air%20Drive%20-%20Files_files/file.png height=20px 
width=20px/tdtda target=_blank 
href=http://192.168.2.104:8000/AirDriveAction_file_show/1337.png.gif.php.js.html;1337