[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Jul 2013 00:26:30 +0100
Title:
======
Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability


Date:
=====
2013-06-11


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=970



VL-ID:
=====
970


Common Vulnerability Scoring System:
====================================
3.5


Introduction:
=============
Mobile Atlas Creator (formerly known as TrekBuddy Atlas Creator) is an open 
source (GPL) program which creates offline atlases 
for GPS handhelds and cell phone applications like TrekBuddy, AndNav and other 
Android and WindowsCE based applications. For the 
full list of supported applications please see the features section. 
Additionally individual maps can be exported as one large 
PNG image with calibration MAP file for OziExplorer. As source for an offline 
atlas Mobile Atlas Creator can use a large number 
of different online maps such as OpenStreetMap and other online map providers.

http://mobac.sourceforge.net/
http://mobac.sourceforge.net/MOBAC/CHANGELOG.txt


Abstract:
=========
The Vulnerability Laboratory Security Team discovered a persistent 
vulnerability & local command path inject bug in the Mobile Atlas Creator 
1.9.12 (2116) software.


Report-Timeline:
================
2013-05-02: Researcher Notification & Coordination (Ateeq Khan)
2013-05-03: Vendor Notification (MOB - Developer Team)
2013-05-03: Vendor Response/Feedback (MOB - Developer Team)
2013-05-29: Vendor Fix/Patch (MOB - Developer Team)
2013-06-11: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
MOBAC
Product: Mobile Atlas Creator 1.9.12 


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Due to the fact that proper user input sanatization is not being performed, it 
is possible to inject user specified HTML code 
within the Atlas Mobile Creator Application. Besides HTML Injection, Local 
Command Path Injecton is also Possible.  Other 
interesting behaviour includes that if you use <script>alert(1)</script> you 
will get an exception error and application will 
show you an error window. Upon further investigation, I was also able to load 
files from my local system where the 
application is installed. 

The bug exists in the Name FIeld while creating a New Atlas Map. A Malicious 
Attacker can save the script code as an Atlas Map 
file and send it to unknown victims. This surely makes this bug very 
interesting.  Please also note, I was able to cause multiple 
types of exception errors while trying different payloads which means there is 
a possibility of multiple attack vectors through 
the same vulnerable name field.


Vulnerable Module(s)
                        [+]  Create New Map

Vulnerable Field(s)
                        [+] Name


Proof of Concept:
=================
The vulnerability can be exploited by local attackers with low privilege system 
user account and low user interaction.
For demonstration or reproduce ...

Manually steps to reproduce ...

1) Install and open atlas software
2) In the menu, goto Atlas -> New Atlas
3) Use the following payload as the Atlas name >"<iframe 
src=http://www.vulnerability-lab.com
4) Click OK to save the input with the non-malicious test frame
5) Right click on the Atlas Content and click the Show Details menu button
6) The script code with the test frame will be executed in the main software 
when processing to load the show details function of the main listing module.

Note: If you use <script>alert(1)</script> you will get an exception error and 
application will show you an error window.redisplay


Solution:
=========
Proper user input sanatization should be performed and all special / illegal 
characters should be filtered out to prevent any such / similar attacks.


Risk:
=====
The security risk of the persistent input validation vulnerabilities and local 
command path inject vulnerabilities  are estimated as medium(+)|(-)high.


Credits:
========
Vulnerability Laboratory [Research Team] - Ateeq Khan 
(khan@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
Prev by Date: re: Real player resource exhaustion Vulnerability
Next by Date: AVAST Internet Security Suite - Persistent Vulnerabilities
Previous by thread: Multiple Vulnerabilities in OpenX
Next by thread: AVAST Internet Security Suite - Persistent Vulnerabilities
Index(es):
- Date
- Thread