[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-01-29 13:30:10
Message-ID: 52E90262.5060404 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
SimplyShare v1.4 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1181
Release Date:
=============
2014-01-28
Vulnerability Laboratory ID (VL-ID):
====================================
1181
Common Vulnerability Scoring System:
====================================
9.2
Product & Service Introduction:
===============================
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other \
iPhone/iPod Touch/iPad and computers wirelessly (without any iTunes Sync). Download or upload \
photos/videos/files directly from a computer. Store, manage and view MS Office, iWork, PDF \
files and many more features
Share Files, Photos or Videos:
- Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, \
iPod Touch and iPad) via Wi-Fi
- Download files, photos or videos with any size to your computer via Wi-Fi
- Upload multiple files, photos or videos with any size from your computer to your device via \
WiFi
- Transfer your files via USB cable (iTunes sync)
- View all your photo albums, videos and files on your device from a computer
- Preserves all photos metadata after transfer
- Slideshow all the photos of an album on a computer (on web browser)
- Display your photos on other iOS devices without transfer/saving them
- Send a short/quick text message from your computer or other iOS devices to your own iDevice
- Email files or photos from your device
Download Files from Internet:
- Download files browsing the Internet
- Tap & Hold on any link or photos to save them in SimpyShare app
- Any webpage you visit, SimplyShare automatically generates all the links to supported files \
(MS Office, iWork, PDF documents etc). Then you can download them by just a single tap.
- Download images automatically by simply tapping on any image in the webpage
File Manager:
- Open or Print Microsoft Office documents (Office ‘97 and newer)
- Open or Print iWork documents
- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
- Play Audio and Video files
- Move, Copy delete files/folder or create new folders
- Save images or videos to Photos Album
- Ability to create folders and organize the files within the folders
- iTunes USB sharing ...
( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the \
official SimplyShare v1.4 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-01-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Rambax, LLC - SimplyShare 1.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the official \
SimplyShare v1.4 iOS mobile web-application. Remote attackers are able to execute own system \
specific codes to compromise the affected web-application or the connected mobile device.
The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. \
Remote attackers can use the prompt send text input to direct execute system codes or \
malicious application requests. The send text input field has no restrictions or secure \
encoding to ensure direct code executes are prevented. After the inject the code execution \
occurs directly in the send text module item list. The security risk of the remote code \
execution vulnerability is estimated as critical with a cvss (common vulnerability scoring \
system) count of 9.2(+)|(-)9.3.
Exploitation of the code execution vulnerability requires no user interaction or privileged \
web-application user account with password. Successful exploitation of the remote code \
execution vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Send Text
Vulnerable Parameter(s):
[+] text
Affected Module(s):
[+] Access from Computer (Send Text Index List - Text Name & Context)
1.2
A local file/path include web vulnerability has been discovered in the official SimplyShare \
v1.4 iOS mobile web-application. The local file include web vulnerability allows remote \
attackers to unauthorized include local file/path requests or system specific path commands to \
compromise the web-application or mobile device.
The local file include web vulnerability is located in the vulnerable `filename` value of the \
`upload files` module (web-interface). Remote attackers are able to inject own files with \
malicious filename to compromise the mobile application. The attack vector is persistent and \
the request method is POST. The local file/path include execute occcurs in the main file to \
path section after the refresh of the file upload. The security risk of the local file include \
web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) \
count of 7.7(+)|(-)7.8.
Exploitation of the local file include web vulnerability requires no user interaction or \
privileged web-application user account with password. Successful exploitation of the local \
web vulnerability results in mobile application or connected device component compromise by \
unauthorized local file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Input(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Access from Computer (File Dir Index List - Folder/Category to path=/)
1.3
A local command/path injection web vulnerability has been discovered in the official \
SimplyShare v1.4 iOS mobile web-application. The vulnerability allows to inject local commands \
via vulnerable system values to compromise the apple iOS mobile web-application.
The vulnerability is located in the in the title value of the header area. Local attackers are \
able to inject own script codes as iOS device name. The execute of the injected script code \
occurs with persistent attack vector in the header section of the web interface. The security \
risk of the command/path inject vulnerabilities are estimated as high with a cvss (common \
vulnerability scoring system) count of 6.2(+)|(-)6.3.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS \
device account with restricted access and no direct user interaction. Successful exploitation \
of the vulnerability results in unauthorized execute of system specific commands or \
unauthorized path requests.
Request Method(s):
[+] [GET]
Vulnerable Value(s):
[+] devicename
Vulnerable Parameter(s):
[+] value to title
Affected Module(s):
[+] Access from Computer (File Dir Index List) - [Header]
1.4
Multiple persistent input validation web vulnerabilities has been discovered in the official \
SimplyShare v1.4 iOS mobile web-application. The bug allows remote attackers to \
implement/inject own malicious persistent script codes to the application-side of the \
vulnerable app.
The vulnerability is located in the `name` value of the internal photo and video module. The \
vulnerability can be exploited by manipulation of the local device album names. After the \
local attacker with physical access injected the code to the local device foto app menu, he is \
able to execute the persistent script codes on the application-side of the mobile app device. \
The security risk of the persistent script code inject web vulnerabilities are estimated as \
medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9.
Exploitation of the persistent web vulnerabilities requires low user interaction and no \
privileged web-application user account with a password. Successful exploitation of the \
vulnerability can lead to persistent session hijacking (customers), account steal via \
persistent web attacks, persistent phishing or persistent manipulation of module context.
Vulnerable Module(s):
[+] Video Folder Name
[+] Photos Folder Name
Vulnerable Parameter(s):
[+] album name values
Affected Module(s):
[+] Access from Computer (Photos & Videos Module)
Proof of Concept (PoC):
=======================
1.1
The remote code execution vulnerability can be exploited by remote attackers without user \
interaction or privileged web-application user account. For security demonstration or to \
reproduce the remote code execution vulnerability follow the provided steps and information \
below.
PoC: Send Text
<table class="ui-widget ui-widget-content" style="margin-bottom: 0;">
<thead>
<tr class="ui-widget-header">
<th></th>
<th>Name</th>
<th>Date</th>
<th>Size</th>
</tr>
</thead>
<tbody>
<tr class="ui-state-default">
<td></td><td colspan="3" class="name"><span class="ui-icon ui-icon-folder-collapsed"></span><a \
href="/?path=/">..</a></td> </tr>
<tr class="ui-state-default">
<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" \
137.txt"="" filesize="550"></td><td class="name"><span class="ui-icon \
ui-icon-document"></span> <a href="/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] \
137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>
--- PoC Session Logs [GET] ---
14:13:14.499[93ms][total 1294ms] Status: 200[OK]
GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI \
LOAD_INITIAL_DOCUMENT_URI ] Content Size[6608] Mime Type[application/x-unknown-content-type] \
Request Headers: Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[6608]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
14:13:14.612[33ms][total 33ms] Status: 200[OK]
GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] \
Content Size[22041] Mime Type[text/css] Request Headers:
Host[192.168.2.109]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/css,*/*;q=0.1]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.109/?path=/Texts]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Accept-Ranges[bytes]
Content-Length[22041]
Content-Type[text/css]
Date[Do., 23 Jan. 2014 13:20:09 GMT]
1.2
The file include web vulnerability can be exploited by remote attackers without user \
interaction and privileged web-application user account. For security demonstration or to \
reproduce the file/path include web vulnerability follow the provided steps and information \
below.
PoC: Upload Files - Filename
<tr class="ui-state-default">
<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" filesize="723" \
type="checkbox"></td> <td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE VULNERABILITY VIA \
FILENAME]</a></td> <td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>
1.3
The local command inject web vulnerability can be exploited by remote attackers without user \
interaction and privileged web-application user account. Physical device access or resource \
access is required to exploit the local command inject vulnerability. For security \
demonstration or to reproduce the local command inject vulnerability follow the provided steps \
and information below.
PoC: Title - Header
<body>
<div class="visible-div">
<img src="/rambax/server/SimplyShare-icon.png">
<div id="title">bkm ¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]</div>
<div id="header-links">
1.4
The persistent input validation web vulnerabilities can be exploited by remote attackers \
without privileged application user account but with low or medium user interaction. For \
security demonstration or to reproduce the persistent vulnerabilities follow the provided steps \
and information below.
PoC: Albums > name
<div id="albums">
<ul class="column">
<li><div class="block"><a href="/rambax/album/0-x"
title="Camera Roll (137)"><img src="/rambax/album_poster/0.jpg" class="photo"></a><span>Camera \
Roll (137)</span></div></li> <li><div class="block">
<a href="/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> (1)"><img \
src="/rambax/album_poster/1.jpg" class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT \
CODE!]> (1)</span></div></li> </ul>
</div>
Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure restriction and encode of the send text \
input field with the text value parameter. Ensure the output send text item list module only \
displays secure parsed, encoded and validated context.
1.2
The second vulnerability can be patched by a secure parse and encode of the file name value \
parameter in the Upload File POST method request.
1.3
The third vulnerability can be patched by encoding the header section with the title value \
parameter to prevent physical command injection attacks.
1.4
Encode the photo album and video names to prevent persistent script code injection attacks by \
local stored album components of the foto (photo) app.
Security Risk:
==============
1.1
The security risk of the remote code exection vulnerability is estimated as critical.
1.2
The security risk of the local file include web vulnerability is estimated as high(+).
1.3
The security risk of the local command inject web vulnerability is estimated as high(-).
1.4
The security risk of the persistent script code inject web vulnerabilities via POST method \
request are estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic