[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] My Photo Wifi Share & Photo Server 1.1 iOS - Command Injection Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-03-28 12:38:40
Message-ID: 53356D50.3060805 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
My Photo Wifi Share & Photo Server 1.1 iOS - Command Injection Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1232
Release Date:
=============
2014-03-24
Vulnerability Laboratory ID (VL-ID):
====================================
1232
Common Vulnerability Scoring System:
====================================
6.2
Product & Service Introduction:
===============================
My Photo Wifi Share allows you to share your photos with multiple friends at a time over a \
local WiFi network. Let your friends browse all your albums. Or, view all your photos in your \
favorite web browser (Safari, Firefox, Chrome, or IE). No more USB connections to your iPhone. \
Read your photos off your phone with super fast speed!
(Copy of the Homepage: https://itunes.apple.com/au/app/my-photo-wifi-share-picture/id421260815 \
)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered local a command injection vulnerability \
in the official My Photo Wifi Share & Picture Server v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Jeff Handy
Product: My Photo Wifi Share & Picture Server - iOS Mobile Web Application 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local command injection vulnerability has been discovered in the official in the official My \
Photo Wifi Share & Picture Server v1.1 iOS mobile web-application. The command injection bug \
allows remote attackers to inject local commands via vulnerable system values to compromise the \
mobile service or application.
The local vulnerability is located in the vulnerable `albumname` value. Local attackers are \
able to inject own malicious system specific commands or path requests as the albumname value. \
The injection requires an active sync via `Share My Photos` (wifi) module. The execution of the \
local command inject via albumname value on sync occurs in the album dir index list. The \
security risk of the local command/path inject vulnerability is estimated as high(-) with a \
cvss (common vulnerability scoring system) count of 6.1(-).
Exploitation of the command/path inject vulnerability requires a low privileged iOS device \
account with restricted access and no user interaction. Successful exploitation of the \
vulnerability results in unauthorized execution of system specific commands and unauthorized \
path value requests to compromise the mobile iOS application or the connected device \
components.
Request Method(s):
[+] Sync [iPhone or iPad]
Vulnerable Input(s):
[+] Album (Name)
Vulnerable Parameter(s):
[+] albumname (path value)
Affected Module(s):
[+] Index - Album Dir Listing
Proof of Concept (PoC):
=======================
The local command inject web vulnerability can be exploited by local attackers with low \
privileged device user account and without user interaction. For security demonstration or to \
reproduce the web vulnerability follow the provided information and steps below to continue.
Manually steps to reproduce the vulnerability ...
1. Download and install the My Photo Wifi Share & Picture Server v1.1 iOS mobile \
web-application > https://itunes.apple.com/de/app/my-photo-wifi-share-picture/id421260815 2. \
Start the default photo album app of iOS 3. Create a new album and select some pictures to \
include for sync 4. Now, the local attacker is able to inject a payload with as local system \
specific command or path value request 5. After the albumname save the attacker starts the \
vulnerable My Photo Wifi Share & Picture Server v1.1 iOS mobile web-application 6. Select the \
Album with the vulnerable injected command and use the share album function 7. After the click \
on the share album button the remote attacker is able to request the (localhost:8080) wifi \
interface (web-server) 8. The execution of the injected command via stable value on sync occurs \
in the album dir index list 9. Successful reproduce of the local command injection web \
vulnerability!
PoC: Album(s) Dir Listing
<font size="16">Album: >"<>"./[LOCAL COMMAND INJECTION VULNERABILITY VIA ALBUMNAME \
VALUE]<"></font></td></tr><tr></tr><tr> <td><a href='page_1.html'><img \
src='http://localhost:8080//thumbs/image_1.png' height=150 width=150><br>Page \
1</a></td></table></body></html></iframe></font>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the vulnerable album name value & input.
Filter and encode the output index album list to prevent local command injection via phone \
sync.
Security Risk:
==============
The security risk of the local command inject web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic