[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-03-28 12:38:56
Message-ID: 53356D60.802 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
FTP Drive + HTTP 1.0.4 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1231
Release Date:
=============
2014-03-20
Vulnerability Laboratory ID (VL-ID):
====================================
1231
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
FTP Drive + HTTP Server is the ultimate app as for usefullness and ease of use to bring with \
you and share all your important files through your iPhone/iPod! When you`re in a hurry or \
simply wants the things done as they are supposed to be done, you can use FTP Drive + HTTP \
Server. As the name implies, you can use this app mainly as an FTP Server, so you can mount it \
as a Network Drive in your favorite operative system or you can browse the files through a web \
browser like Firefox, Safari, Chrome, Internet Explorer, ...
(Copy of the Homepage: \
https://itunes.apple.com/us/app/ftp-drive-+-http-server-easiest/id455671784 ) (Vendor Homepage: \
http://www.gummybearstudios.com/ios.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered a code execution web vulnerability in the official \
Gummy Bear Studios FTP Drive + HTTP Server v1.0.4 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-03-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution web vulnerability has been discovered in the official Gummy Bear Studios FTP \
Drive + HTTP Server v1.0.4 iOS mobile web-application. The remote vulnerbaility allows an \
attacker to compromise the application and connected device components by usage of a system \
specific command execution.
The vulnerability is located in the create folder input field. The input field direct executes \
the input via GET method request. The request has only a simple quotes encoding. Remote \
attackers are easily able to execute code by usage of a script code payload in combination with \
system device specific php code values. The execution of the code occurs in the main index file \
dir listing service context. The attack vector is on application-side and the request method to \
attack the service is GET. To bypass the path values validation it is required to first add a \
folder via `newDir` value. The remote attacker is able to tamper the create new folder post \
method request and can intercept the values twice to attach the second manipulated path value \
to provoke a code execution. After the add it is possible to attach to the already included \
values via create new folder to execute the code. The security risk of the remote code \
execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring \
system) count of 9.0(+)|(-)9.1.
Exploitation of the remote code execution web vulnerability requires no privileged application \
user account (passwd default blank) or user interaction. Successful exploitation of the code \
execution vulnerability results in mobile application compromise and connected or affected \
component compromise.
Vulnerable Module(s):
[+] Create New Folder
Vulnerable Parameter(s):
[+] path value
Proof of Concept (PoC):
=======================
The php code execution web vulnerability can be exploited by remote attackers without user \
interaction or privileged web-application user account. For security demonstration or to \
reproduce the vulnerability follow the provided steps and information below to continue.
PoC:
http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION VULNERABILITY!]#TEST \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3173] Mime \
Type[application/x-unknown-content-type] Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/[CONNECTED PATH<]/?newDir=%22[<CODE EXECUTION \
VULNERABILITY!]#TEST] Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[3173]
Date[Mi., 19 Mär. 2014 15:06:04 GMT]
Solution - Fix & Patch:
=======================
The code execution web vulnerability can be patched by a secure parse of the create new folder \
input field. Adjust the encoding of the affected foldername output context value in the main \
index file dir list.
Security Risk:
==============
The security risk of the remote code execution web vulnerability in the create new folder \
module is estimated as critical.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic