[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 Dec 2013 23:28:28 +0100
Document Title:
===============
FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1170
Release Date:
=============
2013-12-16
Vulnerability Laboratory ID (VL-ID):
====================================
1170
Common Vulnerability Scoring System:
====================================
8.2
Product & Service Introduction:
===============================
FileMaster is a file manager, downloader, document viewer, video/audio player,
text editor, wifi drive, and more
for iPhone, iPad & iPod Touch. Transfer files from your computer, carry them
around with you, and share them with
your friends. Using FileMaster is easy. Just long-press on a file or folder
icon to display a popup menu.
Simply tap your selection and you’re ready to go. You can tap on the screen to
copy, paste, create folders and so on.
There’s no need to worry about the security of FileMaster, either. Your files
can be accessed remotely with a password
or locally with a master passcode. No one but you will see what’s in your
FileMaster. With FileMaster, you can easily
share files with your friends (peer-to-peep only) using Bluetooth.
(Copy of the Homepage:
https://itunes.apple.com/en/app/filemaster-file-manager-downloader/id582219355 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities
in the Shenzhen Youmi IT Co. Ltd - FileMaster v3.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2013-12-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shenzhen Youmi Information Technology Co. Ltd
Product: FileMaster - File Manager & Downloader (Mobile Application) 3.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.2
A local file/path include web vulnerability has been discovered in the Shenzhen
Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to
unauthorized include local file requests or system specific path commands to
compromise the web-application or device.
The remote file include web vulnerability is located in the vulnerable
`filename` value of the `start upload` module (web interface). Remote attackers
can manipulate the POST method request of `filename` value in the `start
upload` module to compromise the mobile application. The attack vector is
persistent and the request method is POST. The local file/path include execute
occcurs in the main `file dir index` list.
A secound possibility to execute the payload by usage of the compress function.
After the payload with a non executable has been injected the
attacker can use the compress function to generate a .zip package. The
generated zip executes the payload in the filename itself and affects
the main index listing too. The security risk of the local file include web
vulnerability is estimated as high with a cvss (common vulnerability
scoring system) count of 8.1(+)|(-)8.2.
Exploitation of the local file include web vulnerability requires no user
interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application
or connected device component compromise by unauthorized local
file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Start Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8000)
1.2
A local file/path include web vulnerability has been discovered in the Shenzhen
Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to
unauthorized include local file requests or system specific path commands to
compromise the web-application or device.
The remote file include web vulnerability is located in the vulnerable
`folder/path` value of the `Create Folder` module (web interface).
Remote attackers can inject own local file requests or system specific path
commands as `folder name`. The request method is POST and the
attack vector is persistent. The local file/path include execute occcurs in the
main `file dir index` list. The security risk of the local
file include web vulnerability is estimated as high with a cvss (common
vulnerability scoring system) count of 8.0(+)|(-)8.1.
Exploitation of the local file include web vulnerability requires no user
interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application
or device compromise by unauthorized local file include attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] folder to path
Affected Module(s):
[+] Index Folder Dir List
(http://localhost:8000)
1.3 (1.1)
An arbitrary file upload web vulnerability has been discovered in the Shenzhen
Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with
multiple extensions to bypass the web-server filter or system validation.
The vulnerability is located in the `start upload` module. Remote attackers are
able to upload a php or js web-shells by a rename of the original file
with multiple extensions to bypass the file restriction or upload filter
mechanism. The attacker uploads for example a web-shell with the following
name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker
needs to open the file in the web application. He deletes the .jpg & . gif
file extension and can access the application with elevated access rights. The
security risk of the arbitrary file upload web vulnerability is estimated
as high with a cvss (common vulnerability scoring system) count of
7.0(+)|(-)7.1.
Exploitation of the arbitrary file upload web vulnerability requires no user
interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized file
access because of a compromise after the upload of for example web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Start Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir List (http://localhost:8000)
Proof of Concept (PoC):
=======================
1.1
The first file include web vulnerability can be exploited by remote attackers
without privileged web-application user account and user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below.
Manual reproduce of the vulnerability ...
1. Install and start the app (iphone or ipad)
2. Start your web browser and open the following local standard web-server url
( http://localhost:8000 )
3. Start to tamper your web session in the browser and click the `Start Upload`
button
4. Choose a file and manipulate the filename value by exchange with your own
payload (local file request)
5. After the request has been stored in the app you only refresh the index
listing
6. Now, the first local file request execute occurs in the index listing
Note: Now, we let the system generate a compressed file with the same payload
to execute the malicious request as filename value
6. Open the item listing and click in the file option menu the file `compress`
(Packen) button
7. The local file include executes in the upload path of the file
8. Successful reproduce of the vulnerability!
PoC: filename (compress)
<div align="left"> <input name="selfiles" value="[LOCAL FILE INCLUDE
VULNERABILITY VIA FILENAME VALUE!]""
src="FileMaster-filename_files/a_002.txt"
onclick="clickfile(this);" type="checkbox">
<a href="http://localhost:8000/%3E%22%3C[LOCAL FILE INCLUDE VULNERABILITY VIA
FILENAME VALUE!].zip"
target="_blank"><img src="FileMaster-filename_files/zip.png"
class="imgbt"> >"<[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME
VALUE!].zip"></div></th>
<td><div
1.2
The second file include web vulnerability can be exploited by remote attackers
without privileged web-application user account
and user interaction. For security demonstration or to reproduce the
vulnerability follow the provided information and steps below.
Manual reproduce of the vulnerability ...
1. Install and start the app (iphone or ipad)
2. Start your web browser and open the following local standard web-server url
( http://localhost:8000 )
3. Click the `Create Folder` or `Edit Folder` button
4. Inject your payload to the name value input field
5. The payload execute occurs in the main file dir index or sub category list
6. Successful reproduce of the vulnerability!
PoC: Folder/Path name (index)
<div align="left"> <input name="selfiles" value=">" <iframe="LOCAL FILE INCLUDE
VULNERABILITY VIA PATH VALUE!]"
onclick="clickfile(this);" type="checkbox"> <a
href="http://192.168.2.106:8000/%3E%22%3CLOCAL FILE INCLUDE VULNERABILITY VIA
PATH VALUE!]:/">
<img src="LOCAL FILE INCLUDE VULNERABILITY VIA PATH VALUE!]/directory.png"
class="imgbt"> >"<iframe src="LOCAL FILE INCLUDE VULNERABILITY VIA PATH
VALUE!]/x.txt"></div></th>
<td><div
align="right">2013-12-14 23:33</div></td>
<td><div
Solution - Fix & Patch:
=======================
1.1
The first file include web vulnerability can be fixed by a secure encode and
parse of the vulnerable filename value and selfiles input field.
Restrict and encode the file names in the POST method request of the start
upload function to prevent file include attacks.
1.2
The second file include vulnerability can be patched by a secure parse and
encode of the path and folder names.
Restrict and parse the vulnerable create and edit functions but also the broken
index output name validation.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename
value is estimated as high(+).
1.2
The security risk of the local file include web vulnerability in the
folder/path name value is estimated as high.
1.3
the arbitrary file upload and restricted file upload bypass vulnerability is
estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx