[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Private Photos v1.0 iOS - Persistent Path Web Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Private Photos v1.0 iOS - Persistent Path Web Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 28 Jul 2013 21:56:37 +0100
Title:
======
Private Photos v1.0 iOS - Persistent Path Web Vulnerability
Date:
=====
2013-07-25
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1034
VL-ID:
=====
1034
Common Vulnerability Scoring System:
====================================
3.5
Introduction:
=============
You must have some private photos you don`t want others peeping. Private photos
is the perfect app to keep
your private photos safely in your iPad. Photos are protected by a password and
you won`t worry your privacy
when friends playing your iPad.
Now you can enjoy your private photos anytime, anywhere with your iPad. The
built-in viewer can zoom in,
zoom out, and slideshow photos, just like the experience with the native photos
app.
Highlighted features:
- One password protection for photos viewing and transferring
- Web access via WIFI
- Multiple photos transferring
- Multi-touch support: swipe, zoom
- Slide show
Transferring your photos to the app is simple. You can easily access your
private photos via WIFI from
desktop/laptop`s web browser (Make sure your desktop/laptop is in the same WIFI
network as your iPad).
When connected to your iPad from web browser, you can select and transfer
multiple photos with one click.
The transferring is also protected by the same password.
(Copy of the Homepage:
https://itunes.apple.com/de/app/my-private-photos/id427134970 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered 2 persistent web
vulnerabilities in the Private Photos v1.0 application (Apple iOS - iPad &
iPhone).
Report-Timeline:
================
2013-07-25: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Private Photos 1.0
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A persistent input validation web vulnerability is detected in the Private
Photos v1.0 application (Apple iOS - iPad & iPhone).
The bug allows an attacker (remote) to implement/inject malicious own malicious
persistent script codes (application side).
The vulnerability is located in the `Add Directory` module of the web-server
(http://localhost:8080) when processing to
request via POST method manipulated `folder-names`. The folder name will be
changed to the path value without secure filter,
encode or parse. The injected script code will be executed in the path listing
were the attacker injected earlier the code
and of course also in the index listing of the mobile web application.
There is a security protection to filter single and double quotes. When
processing to inject the code a messagebox pops up
with the illegal characters exception. To bypass the exception the remote
attacker can use simple obfuscated strings, embed code
or html/js script codes (frames, scripts, img, embed and co.) without single &
double quotes.
Exploitation of the persistent web vulnerability requires low user interaction
and a local low privilege mobile application account
with a password. Successful exploitation of the vulnerability can lead to
persistent session hijacking (customers), account steal
via persistent web attacks, persistent phishing or persistent module context
manipulation.
Vulnerable Application(s):
[+] Private Photos v1.0 - ITunes or AppStore
(Apple)
Vulnerable Module(s):
[+] Add Directory
Vulnerable Parameter(s):
[+] path (DIRECTORYNAME)
Affected Module(s):
[+] Index Listing
[+] Path/Folder Listing
Proof of Concept:
=================
The persistent input validation web vulnerability can be exploited by remote
attackers with low privilege application user account
and low or medium required user interaction. For demonstration or reproduce ...
PoC: Add Directory
<strong style="position:absolute; color:#226ebc; left:12px; top:0px;
font-size:20px;">Private Photos</strong>
<div style="position:absolute; font-size:15px; color:#444; right:12px;
top:20px; font-size:15px; line-height:24px;
text-align:right; width:360px;"><strong style="color:#F30;">The free version
only allows 100 photos!</strong>
<br><strong>Get the full verison in <a
href="http://itunes.apple.com/app/id427134970?mt=8"; style="color:#F60;"
target="_blank">App Store</a></strong></div></div>
<div class="topbar_2" style="color:#FFC;">
<span style="position:absolute; right:10px;"><a href="javascript:addFolder();">
Add Directory</a> | <a id="AllSelect" href="javascript:selectAll()">Select
All</a>
| <a
href="javascript:if(confirm('Are%20you%20sure%20to%20delete?'))delPhoto();"
id="del" style="color:#F30;">Delete</a></span>
<span style="position:absolute; left:10px;">Photos/ ><[PERSISTENT INJECTED
SCRIPT CODE VIA ADD DIRECTORY NAME]">/
<a href="javascript:window.location.href='..'"
style="color:#F60"> <<Up
Level</a></span><span id="photoCount"></span>
Note: The application will attach the injected payload to the main server as
folder/path name. example: http://localhost:8080/[payload]<
Solution:
=========
The vulnerability can be patched by a restriction of the foldername input and a
secure encoding of the input.
The output location of the foldername and path needs to be filtered and encoded
by a secure mechanism.
Risk:
=====
The security risk of the persistent script code inject web vulnerability is
estimated as medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx