[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] OPlayer v2.0.05 iOS - Multiple Web Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] OPlayer v2.0.05 iOS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Oct 2012 05:30:14 +0200
Title:
======
OPlayer v2.0.05 iOS - Multiple Web Vulnerabilities


Date:
=====
2012-10-01


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=715


VL-ID:
=====
719


Common Vulnerability Scoring System:
====================================
4.5


Introduction:
=============
OPlayer is used to boost your iPhone/iPod s media abilities, you can also use 
it to streaming audio and video over the internet.

OPlayer HD - Customized for iPad is ready for sale in app store.
OPlayer needs iPod gen3 or later models, iPhone3gs or later models to play 
non-native media formats.
Supported File Format Extension

XVID/DIVX AVI, WMV, RMVB, ASF, H264, MKV, TS, M2TS ... most of all movie file 
formats.
MP3, WMA, WAV, OGG, FLAC... most of all audio file formats.
SMI, ASS, SUB, SRT, TXT... most of all subtitle file formats.

USB Sync: Use itunes to fast sync movies to your iPad.
WIFI Upload: Upload movies by the web browser of your computer, support 
ie/safari/firefox/chrome.
FTP server: Upload movies by the ftp client of your computer, support 
cyberduck/filezilla.
FTP Client: You can download files from FTP server to your iPad.
SAMBA Client: You can download files from SAMBA server to your iPad.
Streaming: Support HTTP/RTSP/MMS/FTP/SAMBA streaming.
File Management: Support New/Rename/Cut/Paste/Delete.
Playlist: Create your own playlist, and play files continuous, you can even use 
OPlayer as a music player.
Different Play Mode: Support Loop off/Loop One/Loop all.
Screen Lock: View your movie even on the bed.
Dynamically Menu: Dynamically choose audio/subtitle/video channel and encoding 
method.
Resume Function: Don t worry about closing your application suddenly.
TV Out: Both cable TV out and AirPlay are supported.
iTunes Backup: By default, we will not backup media data when you do iTunes 
sync, and you can t see 
the files in iTunes, you can enable it in the settings page to backup your 
media data.

(Copy of the Vendor Homepage: 
http://itunes.apple.com/us/app/oplayer-best-video-music-media/id344784375?mt=8 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple Web 
Vulnerabilities in the OPlayer application v2.0.05 for Apples iPhone, iPod 
Touch & iPad.


Report-Timeline:
================
2012-10-01:     Public Disclosure


Status:
========
Published


Affected Products:
==================
OlimSoft
Product: OPlayer - iPhone,iPod Touch & iPad v2.0.05


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
Multiple persistent web vulnerabilities are detected in the OPlayer application 
v2.0.05 for Apples iPhones, iPod Touche & iPads.
The vulnerability allows an attacker (remote) to inject own malicious 
persistent script code to compromise the affected mobile application.

The first web vulnerability is located in the OPlayer WIFI Transfer application 
module in the create/rename folder function with the bound 
vulnerable folder name parameter. Attackers can inject own malicious script 
code or malware as foldername. The script code will be executed 
out of the main application name listing web context.

The secound vulnerability is located in the OPlayer WIFI Transfer application 
module when processing to delete a script code tag as foldername.
The mobile device application itself ask when processing to delete a malicious 
injected script code as foldername. The application did not 
parse the request when processing to display the ask to confirm delete 
messagebox. Attackers can use the not parsed +filename function to execute 
malicious persistent script code out of the ask to confirm messagebox when 
processing to delete a folder.

The vulnerabilities can be exploited by remote attackers without privileged 
user account & with low  user inter action. 
Successful exploitation of the vulnerabilities result in application compromise 
via persistent injects, information disclosure (local files), 
persistent malware loads or persistent web context request manipulation. The 
wifi application needs to be activated because of the remote 
available http interface to upload music for oplayer. The service itself allows 
to inject remotly without using any permission change or password.
When the mobile iOS device has been opened via jailbreak the attack can also 
result in a mobile device take over with full control by the remote attacker.


Vulnerable Application(s):
                                [+] OPlayer - iPhone, iPad & iPod Touch

Vulnerable Service(s):
                                [+] HTTP - OPlayer WIFI Transfer

Vulnerable Module(s):
                                [+] Create Folder
                                [+] Delete Folder

Vulnerable Parameter(s):
                                [+] Foldername - Name (i)
                                [+] FileName - +Filename (dls)

Affected Section(s):
                                [+] Index Application Listing - Name
                                [+] Ask to Confirm  - Delete Message


Proof of Concept:
=================
The persistent web vulnerabilities can be exploited by remote attacker and low 
or medium required user inter action without privileged application 
user account. For demonstration or reproduce ...


Review: Index Application Listing - Name   

<table class="filesTable" cellpadding="0" cellspacing="0">    <thead>    <tr>   
 <td class="hi"></td>    <td class="hn">Name</td>    
<td class="hm">Last Modified</td>    <td class="hs">Size</td>    <td 
class="hk">Kind</td>    <td class="he"></td>    <td class="he"></td>    
<td class="hl"></td>    </tr>    </thead><tbody><tr>
<td class="i"><a href=""><[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]];)" 
<="" "=""><img src="/folder.png" 
width="20" height="20"></a></td><
td class="n"><a href=""><[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]") 
</">"><[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]") 
<</a></td>
<td class="m">2012-09-30 16:07:32</td><td class="s"></td><td 
class="k">Folder</td><td class="e">
<span style="height:15px; width:15px;"> </span></td><td class="e"><input 
type="image" src="/webrename.png" 
onClick="modalPopup(""><[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]") <", 0, 
0);" title="Rename file" width="15" height="15"/>
</td><td class="e"><input type="image" src="/webdelete.png" 
onClick="modalPopup("
"><[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]") <
", 2, 0);" title="Delete file" width="15" height="15"/></td></tr><tr 
class="c"><td class="i"><a href="test/">
<img src="/folder.png" width="20" height="20"></a></td><td class="n"><a 
href="test/">test</a></td><
td class="m">2012-09-29 22:28:14</td><td class="s"></td><td 
class="k">Folder</td><td class="e"><
span style="height:15px; width:15px;"> </span></td><td class="e"><input 
type="image" src="/webrename.png" 
onClick="modalPopup("test", 0, 0);" title="Rename file" width="15" 
height="15"/></td><td class="e"><input 
type="image" src="/webdelete.png" onClick="modalPopup("test", 2, 0);" 
title="Delete file" width="15" 

height="15"/></td></tr><tr><td class="i"><a href="unbenannte Datei"><img 
src="/unknown.png" width="20" 

height="20"></a></td><td class="n"><a href="unbenannte Datei">unbenannte 
Datei</a></td><
td class="m">2012-09-30 16:00:19</td><td class="s">0 Byte</td><td 
class="k">File</td><
td class="e"><input type="image" src="/webdownload.png" 
onClick="downloadFile("unbenannte Datei");" 
title="Download file" width="15" height="15"/></td><td class="e"><input 
type="image" src="/webrename.png" 
onClick="modalPopup("unbenannte Datei", 0, 1);" title="Rename file" width="15" 
height="15"/></td><
td class="e"><input type="image" src="/webdelete.png" 
onClick="modalPopup("unbenannte Datei", 2, 1);" 
title="Delete file" width="15" height="15"/></td></tr><tr class="c"><td 
class="i"><a href="unbenannter Ordner/">
<img src="/folder.png" width="20" height="20"></a></td><td class="n"><a 
href="unbenannter Ordner/"
>unbenannter Ordner</a></td><td class="m">2012-09-30 16:00:16</td><td 
>class="s"></td><td class="k"
>Folder</td><td class="e"><span style="height:15px; width:15px;"> 
></span></td><td class="e">
<input type="image" src="/webrename.png" onClick="modalPopup("unbenannter 
Ordner", 0, 0);" title="Rename file" width="15" 
height="15"/></td><td class="e"><input type="image" src="/webdelete.png" 
onClick="modalPopup("unbenannter 
Ordner", 2, 0);" title="Delete file" width="15" 
height="15"/></td></tr></tbody></table>    </div><div 
class="copyright"><p>Copyright © 2011 OLIMSOFT. All Rights Reserved.</p></div>  
  </td>    <!-- right 
table contents -->    <td class="right_content">    <div id="file-uploader">    
<noscript>    <p>Please enable 
JavaScript to use file uploader.</p>    </noscript>    </div>    </td></tr>     
</table>  <!-- upload 
file script -->     <script>             function createUploader(){         var 
uploader = new qq.FileUploader({         
element: document.getElementById('file-uploader')         });     }     
window.onload = createUploader;     </script><!-- modal 
content --><div id="modal-content">     <div id="modal-title"></div>     <div 
id="modal-text"></div>     
<form name="input" action="" method="post">     <div id="modal-field"></div>    
 <input type="hidden" name="ID" id="ID">     
<input type="submit" name="submitButton" id="submitButton">     </form>     
</div></body></html></iframe></a></td></tr></tbody></table>


Review: Ask to Confirm  - Delete Message

<div id="modal-title"><h3>Delete File</h3></div>     <div id="modal-text">
<a>Are you sure you want to delete this file?
"<[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]") <"</a></div>     
<form name="input" action="" method="post"> <div id="modal-field"><input 
type="hidden" name="deleteFile" 
value="[[PERSISTENT MALICIOUS INJECTED SCRIPT CODE!]]"></div>     
<input type="hidden" name="ID" id="ID" value="test"> <input type="submit" 
name="submitButton" id="submitButton" value="Delete"></form>     

</div></div></div></body></html>


Solution:
=========
The vulnerability can be patched by parsing the app and interface foldername 
input mask and output listing.
The secound vulnerability can be patched by parsing the displayed web context 
in the ask to confirm question.
The input fields should be restricted with the following useful input 
characters [a-z][A-Z][0-9].


Risk:
=====
The security risk of the persistent input validation vulnerabilities are 
estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2012 | Vulnerability 
Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: [Full-disclosure] Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
Next by Date: [Full-disclosure] [HTTPCS] Handshakes Professional 'frm_id' Remote SQL Injection Vulnerability
Previous by thread: [Full-disclosure] Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities
Next by thread: [Full-disclosure] [HTTPCS] Handshakes Professional 'frm_id' Remote SQL Injection Vulnerability
Index(es):
- Date
- Thread