[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Copy to WebDAV v1.1 iOS - Multiple Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Copy to WebDAV v1.1 iOS - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 16 Aug 2013 01:08:28 +0100
Title:
======
Copy to WebDAV v1.1 iOS - Multiple Web Vulnerabilities
Date:
=====
2013-08-08
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1044
VL-ID:
=====
1044
Common Vulnerability Scoring System:
====================================
8.9
Introduction:
=============
Copy to WebDAV is designed for use with iWork`s app, which allows you get
document from your Keynote, Numbers and Pages
apps on your iPhone, iPad or iPod Touch, then you can read, edit and share with
other more professional apps.
Copy to WebDAV is running as an local WebDAV and HTTTP Server for iPhone /
iPad, it lets you upload / download documents
to this virtual server directly by any web browser(IE, Safari, Firefox…) or
webdav client from Mac / PC, such as Cyberduck.
However, your safari, some webdav client iPhone / iPad apps can find this
virtual server too.
(Copy of the Homepage:
https://itunes.apple.com/de/app/copy-to-webdav-virtual-webdav/id505898859 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities
in the Copy to WebDAV v1.1 application (Apple iOS - iPad & iPhone).
Report-Timeline:
================
2013-08-08: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Copy to WebDAV - Mobile Application 1.1
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
1.1
A file include web vulnerability is detected in the Copy to WebDAV v1.1 mobile
application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload)
local file or path requests to compromise the application or service.
The vulnerability is located in the upload module when processing to upload
files with manipulated filename value in the POST method request.
The attacker can inject local files or path to request own context and
compromise the mobile device. The validation has a bad side effect
which impacts the risk to combine the attack with persistent injected script
code.
Exploitation of the local file include web vulnerability requires no user
interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized local file
and path requests to compromise the device or application.
Vulnerable Application(s):
[+] Copy to WebDAV v1.1 - ITunes or AppStore
(Apple)
Vulnerable Module(s):
[+] Upload (Files) - (http://localhost:8080)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing
1.2
An arbitrary file upload web vulnerability is detected in the Copy to WebDAV
v1.1 mobile application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with
multiple extensions to bypass the validation for unauthorized access.
The vulnerability is located in the upload module when processing to upload
files with multiple ending extensions. Attackers are able to upload
a php or js web-shells by renaming the file with multiple extensions. The
attacker uploads for example a web-shell with the following name and
extension image.jpg.js.php.jpg . At the end the attacker deletes in the request
after the upload the jpg to access unauthorized the malicious
file (web-shell) to compromise the web-server or mobile device.
Exploitation of the arbitrary file upload web vulnerability requires no user
interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file
access because of a compromise after the upload of web-shells.
Vulnerable Application(s):
[+] Copy to WebDAV v1.1 - ITunes or AppStore
(Apple)
Vulnerable Module(s):
[+] Upload (Files) - (http://localhost:8080)
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing
1.3
A local command/path injection web vulnerability is detected in the Copy to
WebDAV v1.1 application (Apple iOS - iPad & iPhone).
The vulnerability allows to inject local commands via vulnerable system values
to compromise the apple mobile iOS application.
The vulnerability is located in the index file dir listing module when
processing to request and list the ipad or iphone devicename.
Local attackers can change the name of the device to inject the code and
request any local path or inject commands on application-side.
The malicious context with the path request executes when a user or victim is
watching the file dir index listing.
Exploitation of the web vulnerability requires a local privilege iOS device
account with restricted access and no user interaction.
Successful exploitation of the vulnerability results unauthorized execution of
system specific commands and path requests.
Vulnerable Application(s):
[+] Copy to WebDAV v1.1 - ITunes or AppStore
(Apple)
Vulnerable Parameter(s):
[+] device name
Affected Module(s):
[+] Index File Dir Listing
Proof of Concept:
=================
1.1
The local file/path include web vulnerability can be exploited by remote
attackers without privilege application user account and
also without user interaction. For demonstration or reproduce ...
POSTDATA =-----------------------------91441013715855 1
Content-Disposition: form-data; name="file";
filename="<../var/mobile/[File/Path Include Vulnerability]>ben37.png"
Content-Type: image/png
URL=http://localhost:8080/#
PoC: Upload > Filename - INDEX File Dir Listing
<p>
<a href="..">Documents/..</a><br>
<a href="../var/mobile/[File/Path Include
Vulnerability]>ben37.png"><../var/mobile/[File/Path Include
Vulnerability]">ben37.png</a>
<font size="1" style="color:gray">(51.8K, 2013-08-07 22:35)</font><br />
<a href="SampleFiles.zip">SampleFiles.zip</a>
<font size="1" style="color:gray">(2.2M, 2012-04-18 21:58)</font><br />
</p>
<form action="#" method="post" enctype="multipart/form-data" name="form1"
id="form1" onSubmit="return check_file();return false;">
<label>Upload file :
<input type="file" name="file" id="file" />
</label>
<label>
<input type="submit" name="button" id="button" value="Submit" />
</label>
</form>
Note: Remote attackers can unauthorized include files or path requests by
manipulation of the filename value in
the upload POST method request.
1.2
The arbitrary file upload vulnerability can be exploited by remote attackers
without privilege application user account
and also without user interaction. For demonstration or reproduce ...
Standard:
http://192.168.2.104:8080/file.gif
Mnaipulation via Upload (POST to GET)
POSTDATA =-----------------------------2202266615234
Content-Disposition: form-data; name="file";
filename="arbitrary-file-upload.png.txt.iso.js.html.php.gif"
Content-Type: image/gif
URL=http://localhost:8080/#
GET http://localhost:8080/arbitrary-file-upload.png.txt.iso.js
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[0]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101
Firefox/22.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Connection[keep-alive]
Response Headers:
Content-Length[0]
Date[Mi., 07 Aug 2013 21:05:13 GMT]
Status=200
PoC:
http://localhost:8080/arbitrary-file-upload.png.txt.iso.js
Note: After the manipulation of the post method request the attacker can
execute the files by a delete of the picture extensions.
Attackers can for example upload a webshells as regular image to the webserver
and execute the webshell by a visit.
1.3
The local command inject web vulnerability can only be exploited by local
attackers with physical device access without user interaction.
For demonstration or reproduce ...
PoC: <body onLoad=alertSuccess()> <h1>Files from ipad'[LOCAL COMMAND/PATH
INJECT VULNERABILITY VIA DEVICENAME]</h1>
Reference(s): http://localhost:8080/x
Note: The local attacker can change the device name to inject own command and
path. The result with the execution will be visible
in the header section of the file dir index and sub folders.
Solution:
=========
1.3
The local command inject vulnerability can be patched by a secure encoding of
the devicename output listing in the index and sub folder listings.
1.1 - 1.2
The arbitrary file upload and file/path include vulnerabilities can be patched
by a secure filter and parse of the filenames in the POST method request
(upload).
As secound stept the output listing needs to be encoded and parsed in a secure
way to disallow execution of malicious context.
The third step will be to allow only one extension inside of the upload and
validation procedure. It is also required to secure the access rights
when processing to load with local context other frame with files.
Risk:
=====
1.1
The security risk of the local command inject web vulnerability is estimated as
medium.
1.2
The security risk of the local file include web vulnerability is estimated as
high(+).
1.3
The security risk of the arbitrary file upload web vulnerability is estimated
as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/