[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-01-29 13:30:16
Message-ID: 52E90268.5060000 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1181
Release Date:
=============
2014-01-28
Vulnerability Laboratory ID (VL-ID):
====================================
1181
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to \
other iPhone/iPod Touch/iPad and computers wirelessly (without any iTunes Sync). \
Download or upload photos/videos/files directly from a computer. Store, manage and \
view MS Office, iWork, PDF files and many more features
Share Files, Photos or Videos:
- Transfer any number of files, photos or videos with any size to other iOS devices \
(iPhone, iPod Touch and iPad) via Wi-Fi
- Download files, photos or videos with any size to your computer via Wi-Fi
- Upload multiple files, photos or videos with any size from your computer to your \
device via WiFi
- Transfer your files via USB cable (iTunes sync)
- View all your photo albums, videos and files on your device from a computer
- Preserves all photos metadata after transfer
- Slideshow all the photos of an album on a computer (on web browser)
- Display your photos on other iOS devices without transfer/saving them
- Send a short/quick text message from your computer or other iOS devices to your own \
iDevice
- Email files or photos from your device
Download Files from Internet:
- Download files browsing the Internet
- Tap & Hold on any link or photos to save them in SimpyShare app
- Any webpage you visit, SimplyShare automatically generates all the links to \
supported files (MS Office, iWork, PDF documents etc). Then you can download them by \
just a single tap.
- Download images automatically by simply tapping on any image in the webpage
File Manager:
- Open or Print Microsoft Office documents (Office ‘97 and newer)
- Open or Print iWork documents
- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
- Play Audio and Video files
- Move, Copy delete files/folder or create new folders
- Save images or videos to Photos Album
- Ability to create folders and organize the files within the folders
- iTunes USB sharing ...
( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in \
the official SimplyShare v1.4 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-01-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Rambax, LLC - SimplyShare 1.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the \
official SimplyShare v1.4 iOS mobile web-application. Remote attackers are able to \
execute own system specific codes to compromise the affected web-application or the \
connected mobile device.
The remote vulnerability is located in the vulnerable `text` value of the `Send Text` \
module. Remote attackers can use the prompt send text input to direct execute system \
codes or malicious application requests. The send text input field has no \
restrictions or secure encoding to ensure direct code executes are prevented. After \
the inject the code execution occurs directly in the send text module item list. The \
security risk of the remote code execution vulnerability is estimated as critical \
with a cvss (common vulnerability scoring system) count of 9.2(+)|(-)9.3.
Exploitation of the code execution vulnerability requires no user interaction or \
privileged web-application user account with password. Successful exploitation of \
the remote code execution vulnerability results in mobile application or connected \
device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Send Text
Vulnerable Parameter(s):
[+] text
Affected Module(s):
[+] Access from Computer (Send Text Index List - Text Name & Context)
1.2
A local file/path include web vulnerability has been discovered in the official \
SimplyShare v1.4 iOS mobile web-application. The local file include web vulnerability \
allows remote attackers to unauthorized include local file/path requests or system \
specific path commands to compromise the web-application or mobile device.
The local file include web vulnerability is located in the vulnerable `filename` \
value of the `upload files` module (web-interface). Remote attackers are able to \
inject own files with malicious filename to compromise the mobile application. The \
attack vector is persistent and the request method is POST. The local file/path \
include execute occcurs in the main file to path section after the refresh of the \
file upload. The security risk of the local file include web vulnerability is \
estimated as high(+) with a cvss (common vulnerability scoring system) count of \
7.7(+)|(-)7.8.
Exploitation of the local file include web vulnerability requires no user interaction \
or privileged web-application user account with password. Successful exploitation of \
the local web vulnerability results in mobile application or connected device \
component compromise by unauthorized local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Access from Computer (File Dir Index List - Folder/Category to path=/)
1.3
A local command/path injection web vulnerability has been discovered in the official \
SimplyShare v1.4 iOS mobile web-application. The vulnerability allows to inject local \
commands via vulnerable system values to compromise the apple iOS mobile \
web-application.
The vulnerability is located in the in the title value of the header area. Local \
attackers are able to inject own script codes as iOS device name. The execute of the \
injected script code occurs with persistent attack vector in the header section of \
the web interface. The security risk of the command/path inject vulnerabilities are \
estimated as high with a cvss (common vulnerability scoring system) count of \
6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a local low privileged \
iOS device account with restricted access and no direct user interaction. Successful \
exploitation of the vulnerability results in unauthorized execute of system specific \
commands or unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Value(s):
[+] devicename
Vulnerable Parameter(s):
[+] value to title
Affected Module(s):
[+] Access from Computer (File Dir Index List) - [Header]
1.4
Multiple persistent input validation web vulnerabilities has been discovered in the \
official SimplyShare v1.4 iOS mobile web-application. The bug allows remote attackers \
to implement/inject own malicious persistent script codes to the application-side of \
the vulnerable app.
The vulnerability is located in the `name` value of the internal photo and video \
module. The vulnerability can be exploited by manipulation of the local device album \
names. After the local attacker with physical access injected the code to the local \
device foto app menu, he is able to execute the persistent script codes on the \
application-side of the mobile app device. The security risk of the persistent script \
code inject web vulnerabilities are estimated as medium with a cvss (common \
vulnerability scoring system) count of 3.8(+)|(-)3.9.
Exploitation of the persistent web vulnerabilities requires low user interaction and \
no privileged web-application user account with a password. Successful exploitation \
of the vulnerability can lead to persistent session hijacking (customers), account \
steal via persistent web attacks, persistent phishing or persistent manipulation of \
module context.
Vulnerable Module(s):
[+] Video Folder Name
[+] Photos Folder Name
Vulnerable Parameter(s):
[+] album name values
Affected Module(s):
[+] Access from Computer (Photos & Videos Module)
Proof of Concept (PoC):
=======================
1.1
The remote code execution vulnerability can be exploited by remote attackers without \
user interaction or privileged web-application user account. For security \
demonstration or to reproduce the remote code execution vulnerability follow the \
provided steps and information below.
PoC: Send Text
<table class="ui-widget ui-widget-content" style="margin-bottom: 0;">
<thead>
<tr class="ui-widget-header">
<th></th>
<th>Name</th>
<th>Date</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr class="ui-state-default">
<td></td><td colspan="3" class="name"><span class="ui-icon \
ui-icon-folder-collapsed"></span><a href="/?path=/">..</a></td> </tr>
<tr class="ui-state-default">
<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION \
VULNERABILITY!] s="" 137.txt"="" filesize="550"></td><td class="name"><span \
class="ui-icon ui-icon-document"></span> <a href="/Texts/>">"<<>"<"><[REMOTE CODE \
EXECUTION VULNERABILITY!] 137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 \
KB</td></tr>
--- PoC Session Logs [GET] ---
14:13:14.499[93ms][total 1294ms] Status: 200[OK]
GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI \
LOAD_INITIAL_DOCUMENT_URI ] Content Size[6608] Mime \
Type[application/x-unknown-content-type] Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 \
Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[6608]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
14:13:14.612[33ms][total 33ms] Status: 200[OK]
GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load \
Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css] Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 \
Firefox/26.0] Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/?path=/Texts]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[22041]
Content-Type[text/css]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
1.2
The file include web vulnerability can be exploited by remote attackers without user \
interaction and privileged web-application user account. For security demonstration \
or to reproduce the file/path include web vulnerability follow the provided steps and \
information below.
PoC: Upload Files - Filename
<tr class="ui-state-default">
<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" \
filesize="723" type="checkbox"></td> <td class="name"><span class="ui-icon \
ui-icon-document"></span> <a href="/Documents/[FILE INCLUDE VULNERABILITY VIA \
FILENAME]">[FILE INCLUDE VULNERABILITY VIA FILENAME]</a></td> <td>Jan. 23, 2014 \
14:04</td><td>0.7 KB</td></tr>
1.3
The local command inject web vulnerability can be exploited by remote attackers \
without user interaction and privileged web-application user account. Physical device \
access or resource access is required to exploit the local command inject \
vulnerability. For security demonstration or to reproduce the local command inject \
vulnerability follow the provided steps and information below.
PoC: Title - Header
<body>
<div class="visible-div">
<img src="/rambax/server/SimplyShare-icon.png">
<div id="title">bkm ¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME \
VALUE]</div> <div id="header-links">
1.4
The persistent input validation web vulnerabilities can be exploited by remote \
attackers without privileged application user account but with low or medium user \
interaction. For security demonstration or to reproduce the persistent \
vulnerabilities follow the provided steps and information below.
PoC: Albums > name
<div id="albums">
<ul class="column">
<li><div class="block"><a href="/rambax/album/0-x"
title="Camera Roll (137)"><img src="/rambax/album_poster/0.jpg" \
class="photo"></a><span>Camera Roll (137)</span></div></li> <li><div class="block">
<a href="/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img \
src="/rambax/album_poster/1.jpg" class="photo"/></a><span>bkm"><[PERSISTENT INJECTED \
SCRIPT CODE!]> (1)</span></div></li> </ul>
</div>
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure restriction and encode of the send \
text input field with the text value parameter. Ensure the output send text item list \
module only displays secure parsed, encoded and validated context.
1.2
The second vulnerability can be patched by a secure parse and encode of the file name \
value parameter in the Upload File POST method request.
1.3
The third vulnerability can be patched by encoding the header section with the title \
value parameter to prevent physical command injection attacks.
1.4
Encode the photo album and video names to prevent persistent script code injection \
attacks by local stored album components of the foto (photo) app.
Security Risk:
==============
1.1
The security risk of the remote code exection vulnerability is estimated as critical.
1.2
The security risk of the local file include web vulnerability is estimated as \
high(+).
1.3
The security risk of the local command inject web vulnerability is estimated as \
high(-).
1.4
The security risk of the persistent script code inject web vulnerabilities via POST \
method request are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic