Document Title: =============== SeasonApps iTransfer 1.1 - Persistent UI Vulnerability
References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1347 Release Date: ============= 2014-10-27 Vulnerability Laboratory ID (VL-ID): ==================================== 1347 Common Vulnerability Scoring System: ==================================== 2.5 Product & Service Introduction: =============================== Do you want to access your PhotoLibrary`s file on the website? Do you want to transfer files from PC to iDevice easily and read or send them every where? So the iTransfer will give all these to you. 1. You can get all photos and videos in the Photo Library of your device. 2. Wifi Sharing! These make our life more easy, Isn`t it? 3.A file box for you that you can store and get files on the document dictionary of the App. also you can manage the files via Wifi Sharing ! 4. Supper File Manager, you can open files with document format as pdf,doc,ppt,txt,rtf,png,jpg… and media format as mp3,mp4 and so on. 5.Zip and Unzip which will make you manage your local files early. 6.You can share the files to your friend with email. 7. You can access the files on this app via USB and iTunes. 8.Support for iOS7 9.Add upload feature to Library sharing, you can upload image to your photo library now. 10.Add file manage feature to the Local Sharing, just like create dictionary and delete files(dictionary) 11.Add Authentication feature to he sharing feature, you can safe browse your sharing right now! 12.Add feedback feature, please give us your advice or your bug to us. thanks! (Copy of the Homepage: https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iTransferPro v1.1 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2014-10-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== SeasonApps iTransfer Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the official SeasonApps iTransferPro v1.1 iOS mobile application. The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability is located in the albumname value. Local attackers with low privileged device user accounts are able to manipulate the albumname values by usage of the wifi sync function in the `Share Photo Library` module. The attack vector is persistent on the application-side and the request method to inject is a app sync. The issue allows to stream persistent malicious script codes to the front site of the wifi photo library interface. The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5. Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] Sync Vulnerable Module(s): [+] Share Photo Library Vulnerable Parameter(s): [+] items - group (albumname) Affected Module(s): [+] Wifi Interface - Share Photo Library Index (http://localhost:8888/) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with low privileged device user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Wifi Interface - Share Photo Library Index (http://localhost:8888/) <html><head><meta name="viewport" content="width=device-width, initial-scale=1.0" http-equiv="Content-Type"><title>iTransfer</title><style>html {background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%; margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h2>Enjoy iTransfer</h2> <bq>You Can Access Files of your Photo Library Now :)</bq><script type="text/javascript" src="/jquery.js"></script> <script type="text/javascript" src="/fileuploader.js"></script> <link href="fileuploader.css" rel="stylesheet" type="text/css"><p></p><div id="file-uploader-div"><div class="qq-uploader"><div style="display: none;" class="qq-upload-drop-area"> <span>drop files here to upload</span></div><div style="position: relative; overflow: hidden; direction: ltr;" class="qq-upload-button">upload a file <input style="position: absolute; right: 0px; top: 0px; font-family: Arial; font-size: 118px; margin: 0px; padding: 0px; cursor: pointer; opacity: 0;" name="file" multiple="multiple" type="file"></div><ul class="qq-upload-list"></ul></div></div><p></p><script language="javascript"> $(function(){ var uploader = new qq.FileUploader({ element:document.getElementById("file-uploader-div"), action: "/", debug: false, allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"], template: '<div class="qq-uploader">' + '<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' + '<div class="qq-upload-button">upload a file</div>' + '<ul class="qq-upload-list"></ul>' + '</div>', }); }); </script><br><label color="red"><font size="2" color="red">(Notice: The pictures you upload will appear when you share the photo library next time)</font></label> <br><link href="/bootstrap.css" rel="stylesheet"> <script src="/bootstrap.min.js"></script><h3>All Groups</h3><ul class="thumbnails"><li class="span2"> <div class="thumbnail" style="text-align: center;"> <a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA"> <img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150"> <span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE EXECUTION!] 1items</span></a></div> <a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA"> </a></li><li class="span2"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA"> </a><div class="thumbnail" style="text-align: center;"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA"> </a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872"> <img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150"> <span stype="white-space: nowrap;">Photos 3items</span> </a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872"> </a></li></ul></body></html> Reference(s): http://localhost:8888/ http://localhost:8888/group/ Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction of the foldername/albumname input fields. Encode the input and parse the output of the name values in the wifi interface to prevent persistent script code executions. Security Risk: ============== The security risk of the application-side input validation web vulnerability in the wifi interface is estimated as medium(-). (CVSS 2.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com COMPANY: Evolution Security GmbH BUSINESS: www.evolution-sec.com