Document Title: =============== Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities
References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1153 Release Date: ============= 2013-12-02 Vulnerability Laboratory ID (VL-ID): ==================================== 1153 Common Vulnerability Scoring System: ==================================== 9.1 Product & Service Introduction: =============================== nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features: - Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop - Transfer media from your PC or Mac to iPhone or iPod Touch - Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini - Copy photos and videos from Computer to iPad or iPad Mini - Import HD videos to iPad or iPad Mini from iPhone - Exchange photos and videos between iPads over your local WiFi network - Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network - Share you media files on iPad or iPad Mini - Browse photos and videos shared on iDevices from any PC or Mac - Download shared media to your Computer - Receive photos and videos to iPhone or iPod Touch from iPad - Preview shared photos and videos in any browser - Use browser to download shared photos and videos from iDevices - Send photos and videos from any browser to your iPhone or iPad (Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS. Vulnerability Disclosure Timeline: ================================== 2013-12-02: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Simplex Solutions Inc Product: Photo Transfer WiFi 1.4.4 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ 1.1 2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS. The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different section with persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound execute occurs after the login in the smallheader interface section.The security risk of the command/path inject vulnerabilities are estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3. Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests. Vulnerable Application(s): [+] Photo Transfer Wifi v1.4.4 Vulnerable Parameter(s): [+] devicename Affected Module(s): [+] Login - Device Name [+] Index - Device Name 1.2 A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS. The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent (application-side) attack vector. The persistent input validation vulnerability is located in the album name value of the mobile application. Remote attackers and local low privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main index album name list and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user interaction sync. The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.6(+). Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and low user interaction. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Vulnerable Application(s): [+] Photo Transfer Wifi v1.4.4 Vulnerable Parameter(s): [+] albumname Affected Module(s): [+] Index - Album Name List Proof of Concept (PoC): ======================= 1.1 The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or restricted device user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app vulnerability follow the provided information and steps below. Manual steps to exploit the vulnerability ... 1. Install the photo transfer wifi iOS mobile application 2. Open the iOS settings and switch to the info > device name input 3. Include your name and the payload to execute an app command or request a local device path (">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">) 4. Save the input and open the photo transfer wifi app Note: After the startup the web-server is available 5. Open the url following url to the web interface of the mobile application (http://localhost:8080) 6. The first execute occurs in the error message with the devicename value of the login 7. Successful reproduce of the first vulnerability done ... let us watch now the secound issue of the devicename after the login 8. Exclude in the iOS device settings the payload, save and open the service via web-server http request 9. Login to the interface with the default username 10. The execute of the command or path request occurs after the login in the devicename value 11. Successful reproduce of the secound vulnerability done! PoC: Login > devicepreview - devicename <div class="errormessage"> Invalid password. Try again! </div> <div class="youconnect"> You are now connecting to </div> <div class="devicepreview"> <div class="devicepreviewInternal"> <p class="devicename"> device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\..\<../var/mobile/Library/[APP PATH]/"> </p> <div class='deviceico'> <img src="/devices_ico/iPadB.png"> </div> </div> </div> <form method="POST" action="/login"> <div class='forminputs'> <input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input"> <input type="submit" value="Connect" class='passsubmit'> </div> </form> Note: The injected command or path request execute occurs in the login and error message module. PoC: Index - smallheader > devicename <body> <div class="smallheader"> <img src="web/logo_small.png" style="float:left"> <div class="devicepreview" style="float:right"> <div class="devicepreviewInternal"> <p class="devicename"> device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/> </p> <div class="deviceico"> <img src="/devices_ico/iPadB.png"> </div> </div> </div> </div> Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be visible. Reference(s): http://localhost:8080/ 1.2 The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below. Manual steps to reproduce the vulnerability ... 1. Install the photo transfer wifi mobile app 2. Open the iOS photo app (default software) 3. Add a new album and inject into the album name your own script code (payload) 4. Open the photo transfer wifi mobile app 5. Go to the local web-server url (localhost:8080) Note: After the login to the interface the index displays an album name listing 6. The script code execute occurs with persistent attack vector in the index album name list context 7. Successful reproduce of the vulnerability done! PoC: Gallery > Album - albumtitle <div class="albumtitle"> <><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]> </div> <div class="albumsize"> 3 Items </div> </a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&; album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme"> </a><a href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062- 3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank"> <img src="localhost8080_files/download.png" class="ziploadimg" width="36px"> </a> <div class="ziploadtext"> </div> </div> </div> Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote attacker via album to file sync. (interceptme!? ;) Reference(s): http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME] Solution - Fix & Patch: ======================= 1.1 The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value. Parse the devicename in the login section and in the smallheader class to devicename. 1.2 The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value. All GET requests with the value and the input by sync needs to be filtered by a secure mechanism. Security Risk: ============== 1.1 The security risk of the local command/path inject web vulnerabilities are estimated as high. 1.2 The security risk of the persistent album name web vulnerability is estimated as medium(+). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com
