[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Private Camera Pro v5.0 iOS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-25 11:26:50
Message-ID: 530C7DFA.1020200 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Private Camera Pro v5.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1216
Release Date:
=============
2014-02-24
Vulnerability Laboratory ID (VL-ID):
====================================
1216
Common Vulnerability Scoring System:
====================================
8.1
Product & Service Introduction:
===============================
Private Camera is an iPhone and iPad camera app that could protect your privacy. It supports \
taking photos and recording videos, password lock protect, Fake password guest mode, share \
photos anytime and anywhere. Take photos and videos quick and easily. Support autofocus, tap \
to focus, flash light switch, camera switch, brand new UI, easy to use. Support taking still \
photo and recording video. Switch the video and photo mode one click. Create, rename, delete \
album, set album cover. Add photos to Album, remove photos from Album. Multiple photos can be \
handled at a time, you can import photos from system camera roll, export photos to system \
camera roll, add photos to album, remove photos from album, delete multiple photos. Wi-Fi web \
access for photos upload, you can upload many photos from computer to iPhone or iPad in one \
shot. With iOS 5, Private Camera can sync all your photos and videos on your iCloud account, \
you can access these photos & videos on all your iOS devices, use and share these photos & \
videos anytime, everywhere. Protect photos and videos that you don't want to share. User \
requires enter password when access the photos/videos library. Share photos and videos on \
Twitter, Facebook, Email with your friends.
With Password-lock functionality, can protect your personal photos and videos. Its unique \
Pseudo-password(decoy-password) guest mode, can cope with annoying friends from seeing your \
private photos and videos. With easy to use camera features, let you using iPhone or iPad take \
photos & videos and enjoy your photography life!
( Copy of the Homepage: https://itunes.apple.com/us/app/private-camera-photo-vault/id477970594 \
) ( Copy of the Homepage: \
https://itunes.apple.com/us/app/private-camera-pro-photo-vault/id473538611 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the \
official Private Camera Pro v5.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-02-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: Private Camera Pro - iOS Web Application 5.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include vulnerability has been discovered in the official Private Camera Pro v5.0 \
iOS mobile web-application. The local file include web vulnerability allows remote attackers to \
unauthorized include local file/path requests or system specific path commands to compromise \
the web-application/device.
The vulnerability is located in the upload module of the mobile web-application web-interface. \
Remote attackers can manipulate the `upload > submit` POST method request with the vulnerable \
`filename` value to compromise the application or connected device components. The issue \
allows remote attackers to include local app path values or wifi web-server files.
The exploitation appears on the application-side and the inject request method is POST. The \
exection occurs in the main index file dir list. The security risk of the local file include \
web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count \
of 7.2(+)|(-)7.3.
Exploitation of the local file include vulnerability requires no user interaction or privileged \
mobile application user account. Successful exploitation of the file include web vulnerability \
results in mobile application compromise, connected device compromise or web-server \
compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload (UI) & Import (Device Sync)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] File Dir Index Listing
1.2
A local command/path injection web vulnerabilities has been discovered in the official Private \
Camera Pro v5.0 iOS mobile web-application. A command inject vulnerability allows attackers to \
inject local commands via vulnerable system values to compromise the apple mobile iOS \
application.
The vulnerability is located in the vulnerable `[devicename] (srvName)` value of the \
device-info module. Local attackers are able to inject own malicious system specific commands \
or path value requests as the physical iOS hardware devicename. The execution of the injected \
command or path request occurs with persistent attack vector in the device-info listing module \
of the web interface. The security risk of the local command/path inject vulnerability is \
estimated as high(-) with a cvss (common vulnerability scoring system) count of 6.5(+)|(-)6.6.
Exploitation of the command/path inject vulnerability requires a low privileged iOS device \
account with restricted access and no user interaction. Successful exploitation of the \
vulnerability results in unauthorized execution of system specific commands and unauthorized \
path value requests to compromise the mobile iOS application or the connected device \
components.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Content > header-title
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Index- File Dir Listing
[+] Sub Folder/Category - File Dir Listing
1.3
A persistent input validation vulnerability has been discovered in the official Private Camera \
Pro v5.0 iOS mobile web-application. A persistent input validation vulnerability allows remote \
attackers to inject own malicious script codes on the application-side of the affected \
application web-server.
The vulnerability is located in the add `New Album` input field. The vulnerability allows \
remote attackers to inject own malicious script codes on the application-side of the index \
path/folder listing. The script code execute occurs in the index `Albums Index` listing with \
the vulnerable album_title parameter. The inject can be done local by the device via add album \
sync function or remote by an inject via upload in the web-interface. The attack vector is \
persistent and the injection request method is POST. The security risk of the persistent input \
validation web vulnerability in the albumtitle value is estimated as high(-) with a cvss \
(common vulnerability scoring system) count of 4.2(+)|(-)4.3.
Exploitation of the persistent script code inject vulnerability via POST method request \
requires low user interaction and no privileged web-interface user account. Only the sync add \
album sync function of the reproduce via device requires physical access.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Albums Add (UI) & Import (Snyc Device)
Vulnerable Module(s):
[+] album_title
Affected Module(s):
[+] Album Index & Sub Category Index
Proof of Concept (PoC):
=======================
1.1
the local file include web vulnerability can be exploited by remote attackers without \
privileged web-application user account or user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Albums
<div class="btn btn-mini directDownload" title="Download photo">Download</div></div></li><li \
class="span2 thumbnail_warp"> <div class="thumbnail_image"><a \
href="http://192.168.2.109/origins/PC_20140223160359211.jpg" class="thumbnail" w="480" h="320" \
t="0" u="PC_20140223160359211.jpg"><img style="display: block;" \
src="Default%20Album_filename-Dateien/PC_20140223160359211.jpg" \
data-original="/photos/thumbnails/PC_20140223160359211.jpg" class="photo_image"><div \
class="inner_icons"> </div></a> <div class="thumbnail_overlay"><img style="display: none;" \
src="Default%20Album_filename-Dateien/zoomout_icon.png" class="zoomout_icon" title="origin \
photo"></div></div><div style="display: none;" class="photo-edit-bar"><label class="checkbox \
inline">15<input id="15" name="0" value="./[LOCAL FILE INCLUDE VULNERABILITY!].jpg" \
type="checkbox"></label><div class="btn btn-mini directDownload" title="Download \
photo">Download</div></div></li></ul></div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/asset/addAsset Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[462] \
Mime Type[application/json] Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Content-Length[24791]
Content-Type[multipart/form-data; boundary=---------------------------27557158176485]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------27557158176485
Content-Disposition: form-data; name="params"
name:Default%20Album|url:82A29591-4E94-4313-B4A6-B527A1A551AE|id:SYS_ALBUM_DEFAULT
-----------------------------27557158176485
Content-Disposition: form-data; name="files[]"; filename="./[LOCAL FILE INCLUDE \
VULNERABILITY!]"
Content-Type: image/jpeg
1.2
The local command inject web vulnerability can be exploited by remote attackers with physical \
device access and without user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
PoC: Device Info > device_info_list > srvname > device-info > [devicename] (srvName)
<div aria-hidden="false" style="display: block;" id="modal_serverInfo" class="modal hide fade \
in"> <div class="modal-header">
<a class="close" data-dismiss="modal">×</a>
<h4>Device info</h4>
</div>
<div class="modal-body">
<ul class="device_info_list">
<li>Name:<span id="srvName" class="device-info">bkm337 ¥"><%20"./[LOCAL \
COMMAND INJECT VULNERABILITY!]"><if></span></li>
<li>Model:<span id="srvModel" class="device-info">iPad 4 (WiFi)</span></li>
<li>iOS Version:<span id="srvVer" class="device-info">7.0.6</span></li>
<li>Free Space:<span id="srvFree" class="device-info">9.993 GB</span></li>
<li>Support Video:<span id="srvSupported" class="device-info">MOV, M4V, \
MP4</span></li> </ul>
</div>
<div class="modal-footer">
<a href="#" class="btn" data-dismiss="modal">Close</a>
</div>
</div>
Note: Inject your payload as iOS devicename (phone or ipad). The execution occurs in the \
device-info section of the web-interface.
1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low \
privileged application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
PoC: File Dir Index > album_title
<div class="span12 content-body index_page" id="indexDropbox"><ul class="thumbnails" \
id="albums"><li class="album_warp"> <a href="#" n="Default%20Album" u="SYS_ALBUM_DEFAULT" \
albumtype="1" editable="true" class="thumbnail thumbnailAlbum"> <img \
src="Albums_foldername-Dateien/SYS_ALBUM_DEFAULT.jpg" class="album_image"><h5 \
class="album_title">Default Album</h5> <p class="album_desc 1">15 Photos</p></a></li><li \
class="album_warp"><a href="#" n="%20">[PERSISTENT INJECTED SCRIPT CODE!]" \
u="E2569E17-2254-46D9-992C-82833B92F535" albumtype="0" editable="true" class="thumbnail \
thumbnailAlbum"> <img src="Albums_foldername-Dateien/E2569E17-2254-46D9-992C-82833B92F535.jpg" \
class="album_image"> <h5 class="album_title">><%20">[PERSISTENT INJECTED SCRIPT CODE!]"> \
"><%20">[PERSISTENT INJECTED SCRIPT CODE!]></h5> <p class="album_desc 0">7 \
Photos</p></a></li></iframe></h5></a></li></ul></div>
Note: Use the sync function when processing to import to inject the persistent code to the file \
dir index of the web-interface.
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and validation of the \
filename value in the upload file POst method request.
1.2
The local command inject web vulnerability can be fixed by a secure encode of the vulnerable \
devicename value in the service information module.
1.3
The persistent input validation web vulnerability can be patched by a secure parse and encode \
of the vulnerable albumname value. Restrict the albumname add and rename function to prevent \
further persistent script code injects via POST method request.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as high(+).
1.2
The security risk of the local command inject web vulnerability is estimated as high(-).
1.3
The security risk of the persistent input validation web vulnerability is estimated as \
medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic