[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Appologics AirBeam v1.9.2 iOS - Multiple Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Appologics AirBeam v1.9.2 iOS - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 20 Nov 2013 05:10:22 +0100
Document Title:
===============
Appologics AirBeam v1.9.2 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1140
Release Date:
=============
2013-11-20
Vulnerability Laboratory ID (VL-ID):
====================================
1140
Common Vulnerability Scoring System:
====================================
7.2
Product & Service Introduction:
===============================
AirBeam turns your iPhones, iPods or iPads into a realtime audio and video
surveillance system. AirBeam streams
live video and audio from the cameras and microphones of any number of iPhones,
iPods or iPads. You can watch
the stream on any other iDevice, Mac or Web browser - even on multiple screens
simultaneously.
Use your iDevices as luxury babyphones, for serious surveillance, to keep an
eye on your pets, a FPV cam in your
remote control toys…there are hundreds of useful and not so useful things you
can do with it. Even if you have
just a single device AirBeam is an awesome tool for motion controlled video
recording.
(Copy of the Vendor Homepage:
https://itunes.apple.com/en/app/airbeam-hd-videouberwachung/id428767956 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web
vulnerabilities in the Appoligics UG AirBeam v1.9.2 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2013-11-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple AppStore
Product: AirBeam iOS - Appologics UG 1.9.2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.0
A command/path inject web vulnerability has been discovered in the official
Appoligics UG AirBeam v1.9.2 iOS mobile application.
The command/path inject vulnerability allows local attackers to unauthorized
inject system commands or path requests to compromise
the mobile web-application or UI online-service.
The local command/path inject web vulnerability is located in the name value of
the iOS device. Local attackers with physical
device access and restricted user accounts can inject local path requests or
execute system specific commands. After the inject
of the command or path request the code execute occurs in the tab header
location with the listed device name on top. The security
risk of the local command/path inject web vulnerability in the device name is
estimated as high with a cvss (common vulnerability
scoring system) count of 5.2(+)|(-)5.3
Exploitation of the web vulnerability requires a local privileged iOS device
account with restricted access and no user interaction.
Successful exploitation of the vulnerability results unauthorized execute of
system specific commands and path/file requests.
Vulnerable Service(s):
[+] Appoligics UG - AirBeam v1.9.2 (iOS)
Vulnerable Module(s):
[+] device name
Vulnerable Parameter(s):
[+] name
Affected Device(s):
[+] iPad
[+] iPhone
2.0
A client-side cross site vulnerability has been discovered in the official
Appoligics UG AirBeam v1.9.2 iOS mobile application.
A xss web vulnerability allows remote attackers to manipulate via GET method
inject web-application to browser requests (client-side).
The client-side cross site scripting web vulnerability is located in the
vulnerable name value of the delete function. Remote attackers
are able to inject own script codes by manipulation of the GET method request
to execute the malicious content on the client-side of
a victims web-browser. The security risk of the non-persistent web
vulnerability in the delete function is estimated as medium with a
cvss (common vulnerability scoring system) count of 2.0(+)|(-)2.1.
Exploitation of the client-side cross site vulnerability requires no privileged
web application user account and low or medium user interaction.
Successful exploitation of the client-side cross site scripting web
vulnerabilities results in session hijacking, client-side phishing, client-side
unauthorized/open (external) redirects and client-side manipulation of the
dhtml editor module context.
Vulnerable Service(s):
[+] Appoligics UG - AirBeam v1.9.2 (iOS)
Vulnerable Module(s):
[+] delete
Affected parameter(s):
[+] name
Affected Device(s):
[+] iPad
[+] iPhone
Proof of Concept (PoC):
=======================
1.0
The command/path inject web vulnerability can be exploited by remote attackers
with privileged iOS device account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow
the information below.
Proof of Concept - Device Name
<div id="devicename">device benjamin.KM>"<<>"<[LOCAL COMMAND/PATH INJECT
VULNERABILITY VIA DEVICENAME!]></div>
<div id="navbar">
<a class='navitem' href='index.html'>Kamera</a>
<a class='navitemsel' href='recordings.html'>Aufnahmen</a>
<a class='navitem' href='settings.html'>Einstellungen</a>
</div>
</div>
<div id="content">
<div id="recordings_hint">
Hinweis: Manche Browser haben Schwierigkeiten die Aufzeichnungen direkt im
Browser-Fenster abzuspielen.
In diesem Fall die Aufzeichnung mittels Rechts-Klick und "Speichern unter"
herunterladen und dann anschauen.
</div>
<div id="recordings_list">
<!--
<hr class="embosed"/>
<div class="recording">
<div class="recording_preview">
<img width="100px" height="100px" src="images/logo.png">
</div>
<div class="recording_data">
<a class="recording_name"
href="/recordings">Recording</a>
<div class="recording_details">
12:25:00<br>640x480<br>0 min 5 sec<br>10.0
MB<br>
</div>
</div>
<div class="recording_controls">
<a class="button" href="/delete?name=">View</a>
<a class="button"
href="/delete?name=">Delete</a>
</div>
</div>
Note: The script code execute after the inject occurs in the device name on top
of the application header.
--- PoC Session Request Logs [GET] ---
Status: 200[OK]
GET http://airbeam.localhost/recordings.html
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI
LOAD_INITIAL_DOCUMENT_URI ]
Content Size[-1]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[airbeam.localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101
Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://airbeam.localhost/recordings.html]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Transfer-Encoding[chunked]
Accept-Ranges[bytes]
Date[Wed, 20 Nov 2013 02:36:37 GMT]
Status: 200
GET http://airbeam.localhost/[LOCAL INJECTED COMMAND/PATH VALUE!]
Load Flags[LOAD_DOCUMENT_URI ]
Content Size[0]
Mime Type[application/x-unknown-content-type]
Request Headers:
Host[airbeam.localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101
Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://airbeam.localhost/recordings.html]
Connection[keep-alive]
Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[Wed, 20 Nov 2013 02:36:37 GMT]
2.0
The client-side input validation web vulnerability can be exploited by remote
attackers without privileged web-application user account and
low user interaction. For security demonstration or to reproduce the
vulnerability follow the provided information below.
PoC: Client-Side XSS
http://airbeam.localhost/delete?name=[CLIENT-SIDE CROSS SITE SCRIPTING
VULNERABILITY!]
Proof of Concept: delete?name - (view & delete)
<div class="recording_controls">
<a class="button" href="/delete?name=[CLIENT-SIDE CROSS SITE
SCRIPTING VULNERABILITY!]">View</a>
<a class="button" href="/delete?name=[CLIENT-SIDE CROSS SITE
SCRIPTING VULNERABILITY!]">Delete</a>
</div>
Solution - Fix & Patch:
=======================
1.0
The local command/path inject web vulnerability can be patched by a secure
parse of the device-name value on top of the application.
2.0
The client-side cross site scripting web vulnerability can be patched by a
secure encode of the vulnerable name value in the delete function.
Security Risk:
==============
1.0
The security risk of the local command/path inject web vulnerability via
device-name is estimated as high.
2.0
The security risk of the client-side cross site scripting web vulnerability in
the delete file name value is estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/