[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities
- To: bugs@xxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 12 May 2013 21:50:08 +0100
Title:
======
Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities
Date:
=====
2013-04-21
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=932
VL-ID:
=====
932
Common Vulnerability Scoring System:
====================================
6.1
Introduction:
=============
Easily access your photo libraries via wifi from any computer with a web
browser! Just start the app and enter the
displayed address into the address bar of your browser. Works with any computer
that has a modern browser (like desktop
or portable computers, iPads, or even an other iPhone) and is on the same wifi
network as your phone, iPod or iPad.
- You can select and transfer multiple photos at once
- EXIF metadata is retained in mass-download mode (not in one-by-one mode)
- Optional password protection for the web interface
- Can also be used to download videos
- Transfer in full resolution or scaled down
- No extra software required
(Copy of the Homepage: #1
https://itunes.apple.com/de/app/wifi-photo-transfer-pro/id587468262)
(Copy of the Homepage: #2
https://itunes.apple.com/de/app/wifi-photo-transfer/id380326191)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple web
vulnerabilities in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the
apple ipad & iphone.
Report-Timeline:
================
2013-04-22: Public Disclosure
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Wifi Photo Transfer 2.1 & 1.1 Pro
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
A local command injection web vulnerability is detected in the mobile Wifi
Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The vulnerability allows to inject local commands via vulnerable system values
to compromise the apple mobile iOS application.
The vulnerbility is located in the index module when processing to load the
ipad or iphone device album names. Local attackers can
change the ipad or iphone device photo album names to system specific commands
and file requests to provoke the execution when
processing to watch the main index listing. The execution of the script code
occurs in the album name web context.
Exploitation of the web vulnerability does not require an application user
account (standard) or user interaction.
Successful exploitation of the vulnerability results unauthorized execution of
system specific commands and path requests.
Vulnerable Application(s):
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes
or AppStore (Apple)
Vulnerable Module(s):
[+] Index
Vulnerable Parameter(s):
[+] album name - iPad or iPone
Affected Module(s):
[+] Index Listing - Album
1.2
A local file include and arbitrary file upload vulnerability is detected in the
mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The vulnerability allows remote attackers via POST method to include
unauthorized remote files on the affected webserver file system.
Remote attackers can also unauthorized implement mobile webshells by using
multiple file extensions (pentest.php.js.gif) when processing to
upload via POST request method. The attacker uploads a file with a double
extension or multiple extensions and access the file in the
secound step by usage of the directory webserver dir listing to compromise the
apple iphone or ipad.
Exploitation of the local file include web vulnerability does not require user
interaction and also no application user account.
Successful exploitation of the web vulnerabilities results in app/service
manipulation and ipad or iphone compromise via file
include or unauthorized web-server file (webshell) upload attacks.
Vulnerable Application(s):
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes
or AppStore (Apple)
Vulnerable Module(s):
[+] Compressing archiv to zip
Vulnerable Parameter(s):
[+] lib (cat)
[+] sel (selection)
Affected Module(s):
[+] File Dir Album Index - Listing
1.3
An information disclosure and information leak misconfiguration is detected in
the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The reported vulnerability allows remote attackers to access unauthorized
web-server photos or web-server files by exploitation of a misconfiguration.
The secound vulnerability is located in the upload file script of the webserver
(http://localhost:2323/) when processing to download with
a manipulated POST method request all available path files. The attacker can
manipulate the lib and sel values in the POST request to download
unauthorized not accessable photo files. After the iphone or ipad user allowed
one time to access the iOS photo service anybody can also
access not implemented files from the same service folder.
Exploitation of the information disclosure web vulnerability does not require
user interaction or an application user account.
Successful exploitation of the information disclosure app vulnerability results
in unauthorized photo and webserver file access.
Vulnerable Application(s):
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes
or AppStore (Apple)
Vulnerable Module(s):
[+] compressprogress
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] zipdownload
1.4
A client side cross site scripting web vulnerability is detected in the mobile
Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The vulnerability allows remote attackers to form manipulated urls to inject
script code on client side application requests.
The client side cross site scripting web vulnerability is located in the path
section when processing to request the images via GET with a
manipulated filename (value) parameter. The vulnerability occurs when a remote
attacker is changing the requested file to own script code.
The request will be executed on client side of the victims browser. The app
displays any non existing path with a file request without secure
encoding which results in the execution of the script code out of the exception
error message.
Exploitation of the vulnerability does not require an application user account
but low or medium user interaction.
Successful exploitation results in client side cross site requests,
unauthorized external redirects, client side phishing,
client side session hijacking and client side module context manipulation.
Vulnerable Application(s):
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes
or AppStore (Apple)
Vulnerable Module(s):
[+] Path Folder
Vulnerable Parameter(s):
[+] filename (*.html)
Proof of Concept:
=================
1.1
The local command injection web vulnerability can be exploited by remote
attackers without an application user account
and without user interaction. For demonstration or reproduce ...
Manually steps to reproduce ... Command Inject via Foldername
1. Install the application from itunes or directly from the appstore
2. Open the service and make the webserver available via http
3. Now open for example your iphone or ipad device to sync
4. Open on your device the standard albums in photos
5. Change the name of one of your standard album to a path command inject string
6. Open another device and access the index listing of the application after
the album sync
7. The code will be executed out of the main album name listing
8. Successful reproduced ...!
PoC: List of image libraries.htm
<div class="span5" style="position:absolute;top:50%;margin-top:-10px;">
<div style="margin-left:30px;"><a href="http://192.168.2.104:2323/1/";
style="font-size:18px;font-weight:bold;">>%20>"<[<COMMAND/PATH
INJECTION>]"List%20of%20image%20libraries_files/x.htm">
<><>>%20>"<[<COMMAND/PATH INJECTION>]></a></div>
</div>
<div class="span3" style="text-align:center;">
<img class="thumbnail" src="/1/tn_0.jpg"
alt="" style="max-width:150px;max-height:150px;"/>
1.2
The local file web vulnerability can be exploited by remote attackers without
an application user account
and also without user interaction. For demonstration or reproduce ...
Manually steps to reproduce ... File Include Vulnerability
1. Start your session tamper tool or wireshark on your computer
2. Install the application on the ipad or iphone device
3. Start to tamper the http session or filter the http pakets via wireshark
4. Start the application on your ipad or iphone
5. Open with a external device (computer > browser) the application
6. Now process to upload via form a image and hold a request via tamper or
record the paket for a secound request
7. Include atfer choosing a random image a webshell and include (upload) it
with a double or tripple (*.php.jpg.gif or *.html.gif) extension
8. After the upload you only need to refresh the album index and try to
request via selection and lib parameter the file
9. The webshell got unauthorized uploaded and is accessable to compromise the
device or app
10. Successful reproduced!
--- POST REQUEST METHOD ---
lib[2]
> sel[0,1,2,3,4,5,6,7,8,9] > (Selection Page)
1.3
The information disclosure misconfiguration bug can be exploited by remote
attackers without an application user account
and without user interaction. For demonstration or reproduce ...
Manually steps to reproduce ... Information Disclosure Misconfiguration
1. Start your session tamper tool or wireshark on your computer
2. Install the application on the ipad or iphone device
3. Start to tamper the http session or filter the http pakets via wireshark
4. Start the application on your ipad or iphone
5. Open with a external device (computer > browser) the application
6. Press Download zip compressed (http://localhost:2323/startcompressing)
7. Hold the secound request after the lib and sel POST values has been
requested
8. Watch the content of the request and exchange the images the service
requested with the images you want to request (example DIM2736.jpg)
9. The images you included will be loaded in the zip compressed folder even if
the selection was another one
10. Successful reproduced ... the attacker can now access the images by using
the vulnerable iOS app
Compressing archive to zip (http://localhost:2323/startcompressing)
Reference(s):
http://localhost:2323/compressprogress5343040?KXVLHQUDKOURRJHC
http://localhost:2323/zipdownload/KXVLHQUDKOURRJHC/images.zip
1.4
The client side cross site scripting web vulnerability can be exploited by
remote attackers without an application user account
and with medium or high required user interaction. For demonstration or
reproduce ...
PoC:
http://localhost:2323/1/tester23/vulnerabilitylab.html%3E%22%3Ciframe%20src=a%3E#7062267329013816800
Risk:
=====
1.1
The security risk of the local command injection web vulnerability is estimated
as high(-).
1.2
The security risk of the file include / arbitrary file upload vulnerability is
estimated as high(+).
1.3
The security risk of the information disclosure misconfiguration bug is
estimated as medium.
1.4
The security risk of the client side cross site scripting web vulnerability is
estimated as low(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx
- research@xxxxxxxxxxxxxxxxxxxxx
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability
Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx