[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] SimplyShare v1.4 iOS - Multiple Web Vulnerabilities



Document Title:
===============
SimplyShare v1.4 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1181


Release Date:
=============
2014-01-28


Vulnerability Laboratory ID (VL-ID):
====================================
1181


Common Vulnerability Scoring System:
====================================
9.2


Product & Service Introduction:
===============================
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files 
easily to other iPhone/iPod Touch/iPad 
and computers wirelessly (without any iTunes Sync). Download or upload 
photos/videos/files directly from a computer.
Store, manage and view MS Office, iWork, PDF files and many more features

Share Files, Photos or Videos:
- Transfer any number of files, photos or videos with any size to other iOS 
devices (iPhone, iPod Touch and iPad) via Wi-Fi
- Download files, photos or videos with any size to your computer via Wi-Fi
- Upload multiple files, photos or videos with any size from your computer to 
your device via WiFi
- Transfer your files via USB cable (iTunes sync)
- View all your photo albums, videos and files on your device from a computer
- Preserves all photos metadata after transfer
- Slideshow all the photos of an album on a computer (on web browser)
- Display your photos on other iOS devices without transfer/saving them
- Send a short/quick text message from your computer or other iOS devices to 
your own iDevice
- Email files or photos from your device

Download Files from Internet:
- Download files browsing the Internet
- Tap & Hold on any link or photos to save them in SimpyShare app
- Any webpage you visit, SimplyShare automatically generates all the links to 
supported files (MS Office, 
iWork, PDF documents etc). Then you can download them by just a single tap.
- Download images automatically by simply tapping on any image in the webpage

File Manager:
- Open or Print Microsoft Office documents (Office ‘97 and newer)
- Open or Print iWork documents
- View or Print PDF files, Images, RTF documents, CSV, HTML and Text files
- Play Audio and Video files
- Move, Copy delete files/folder or create new folders
- Save images or videos to Photos Album
- Ability to create folders and organize the files within the folders
- iTunes USB sharing ...

( Copy of the Homepage: 
https://itunes.apple.com/en/app/simply-share/id399197227 ) 


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web 
vulnerabilities in the official SimplyShare v1.4 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2013-01-28:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple AppStore
Product: Rambax, LLC - SimplyShare 1.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A critical remote code execution web vulnerability has been discovered in the 
official SimplyShare v1.4 iOS mobile web-application.
Remote attackers are able to execute own system specific codes to compromise 
the affected web-application or the connected mobile device.

The remote vulnerability is located in the vulnerable `text` value of the `Send 
Text` module. Remote attackers can use the prompt send 
text input to direct execute system codes or malicious application requests. 
The send text input field has no restrictions or secure 
encoding to ensure direct code executes are prevented. After the inject the 
code execution occurs directly in the send text module 
item list. The security risk of the remote code execution vulnerability is 
estimated as critical with a cvss (common vulnerability 
scoring system) count of 9.2(+)|(-)9.3.

Exploitation of the code execution vulnerability requires no user interaction 
or privileged web-application user account with password. 
Successful exploitation of the remote code execution vulnerability results in 
mobile application or connected device component compromise.


Request Method(s):
                                [+] [POST]

Vulnerable Module(s):
                                [+] Send Text

Vulnerable Parameter(s):
                                [+] text

Affected Module(s):
                                [+] Access from Computer (Send Text Index List 
- Text Name & Context)



1.2
A local file/path include web vulnerability has been discovered in the official 
SimplyShare v1.4 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to 
unauthorized include local file/path requests or system 
specific path commands to compromise the web-application or mobile device.

The local file include web vulnerability is located in the vulnerable 
`filename` value of the `upload files` module (web-interface).
Remote attackers are able to inject own files with malicious filename to 
compromise the mobile application. The attack vector is 
persistent and the request method is POST. The local file/path include execute 
occcurs in the main file to path section after the 
refresh of the file upload. The security risk of the local file include web 
vulnerability is estimated as high(+) with a cvss (common 
vulnerability scoring system) count of 7.7(+)|(-)7.8.

Exploitation of the local file include web vulnerability requires no user 
interaction or privileged web-application user account with password. 
Successful exploitation of the local web vulnerability results in mobile 
application or connected device component compromise by unauthorized 
local file include web attacks.

Request Method(s):
                                [+] [POST]

Vulnerable Input(s):
                                [+] Upload Files

Vulnerable Parameter(s):
                                [+] filename

Affected Module(s):
                                [+] Access from Computer (File Dir Index List - 
Folder/Category to  path=/)



1.3
A local command/path injection web vulnerability has been discovered in the 
official SimplyShare v1.4 iOS mobile web-application.
The vulnerability allows to inject local commands via vulnerable system values 
to compromise the apple iOS mobile web-application.

The vulnerability is located in the in the title value of the header area. 
Local attackers are able to inject own script codes 
as iOS device name. The execute of the injected script code occurs with 
persistent attack vector in the header section of the 
web interface. The security risk of the command/path inject vulnerabilities are 
estimated as high with a cvss (common vulnerability 
scoring system) count of 6.2(+)|(-)6.3.

Exploitation of the command/path inject vulnerability requires a local low 
privileged iOS device account with restricted access 
and no direct user interaction. Successful exploitation of the vulnerability 
results in unauthorized execute of system specific 
commands or unauthorized path requests.

Request Method(s):
                                [+] [GET]

Vulnerable Value(s):
                                [+] devicename 

Vulnerable Parameter(s):
                                [+] value to title

Affected Module(s):
                                [+] Access from Computer (File Dir Index List) 
- [Header]




1.4
Multiple persistent input validation web vulnerabilities has been discovered in 
the official SimplyShare v1.4 iOS mobile web-application.
The bug allows remote attackers to implement/inject own malicious persistent 
script codes to the application-side of the vulnerable app.

The vulnerability is located in the `name` value of the internal photo and 
video module. The vulnerability can be exploited by manipulation 
of the local device album names. After the local attacker with physical access 
injected the code to the local device foto app menu, he is able 
to execute the persistent script codes on the application-side of the mobile 
app device. The security risk of the persistent script code inject 
web vulnerabilities are estimated as medium with a cvss (common vulnerability 
scoring system) count of 3.8(+)|(-)3.9.

Exploitation of the persistent web vulnerabilities requires low user 
interaction and no privileged web-application user account with a password. 
Successful exploitation of the vulnerability can lead to persistent session 
hijacking (customers), account steal via persistent web attacks, 
persistent phishing or persistent manipulation of module context.


Vulnerable Module(s):
                                [+] Video Folder Name
                                [+] Photos Folder Name

Vulnerable Parameter(s):
                                [+] album name values

Affected Module(s):
                                [+] Access from Computer (Photos & Videos 
Module)


Proof of Concept (PoC):
=======================
1.1
The remote code execution vulnerability can be exploited by remote attackers 
without user interaction or privileged web-application user account.
For security demonstration or to reproduce the remote code execution 
vulnerability follow the provided steps and information below.

PoC: Send Text

<table class="ui-widget ui-widget-content" style="margin-bottom: 0;"> 
                                <thead> 
                                        <tr class="ui-widget-header"> 
                                                <th></th>
                                                <th>Name</th> 
                                                <th>Date</th> 
                                                <th>Size</th> 
                                        </tr> 
                                </thead> 
                                <tbody>
<tr class="ui-state-default">
<td></td><td colspan="3" class="name"><span class="ui-icon 
ui-icon-folder-collapsed"></span><a href="/?path=/">..</a></td>
</tr>
<tr class="ui-state-default">
<td><input value="/Texts/>" type="checkbox">"<<>"<">[REMOTE CODE EXECUTION 
VULNERABILITY!] s="" 137.txt"="" 
filesize="550"></td><td class="name"><span class="ui-icon 
ui-icon-document"></span>
<a href="/Texts/>">"<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 
137.txt</a></td><td>Jan. 23, 2014 14:07</td><td>0.5 KB</td></tr>


--- PoC Session Logs [GET] ---
14:13:14.499[93ms][total 1294ms] Status: 200[OK]
GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS 
LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[6608] Mime 
Type[application/x-unknown-content-type]
   Request Headers:
      Host[192.168.2.109]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 
Firefox/26.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      Referer[http://192.168.2.109/]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Headers:
      Accept-Ranges[bytes]
      Content-Length[6608]
      Date[Do., 23 Jan. 2014 13:20:09 GMT]


14:13:14.612[33ms][total 33ms] Status: 200[OK]
GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load 
Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css]
   Request Headers:
      Host[192.168.2.109]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 
Firefox/26.0]
      Accept[text/css,*/*;q=0.1]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      Referer[http://192.168.2.109/?path=/Texts]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Headers:
      Accept-Ranges[bytes]
      Content-Length[22041]
      Content-Type[text/css]
      Date[Do., 23 Jan. 2014 13:20:09 GMT]



1.2
The file include web vulnerability can be exploited by remote attackers without 
user interaction and privileged web-application user account.
For security demonstration or to reproduce the file/path include web 
vulnerability follow the provided steps and information below.

PoC: Upload Files - Filename

<tr class="ui-state-default">
<td><input value="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]" 
filesize="723" type="checkbox"></td>
<td class="name"><span class="ui-icon ui-icon-document"></span>
<a href="/Documents/[FILE INCLUDE VULNERABILITY VIA FILENAME]">[FILE INCLUDE 
VULNERABILITY VIA FILENAME]</a></td>
<td>Jan. 23, 2014 14:04</td><td>0.7 KB</td></tr>


1.3
The local command inject web vulnerability can be exploited by remote attackers 
without user interaction and privileged web-application user account.
Physical device access or resource access is required to exploit the local 
command inject vulnerability. For security demonstration or to reproduce 
the local command inject vulnerability follow the provided steps and 
information below.


PoC: Title - Header

        <body>
                <div class="visible-div">
                        <img src="/rambax/server/SimplyShare-icon.png">
                        <div id="title">bkm¥337[LOCAL COMMAND INJECT 
VULNERABILITY VIA DEVICE NAME VALUE]</div>
                        <div id="header-links">

1.4
The persistent input validation web vulnerabilities can be exploited by remote 
attackers without privileged application user account but with 
low or medium user interaction. For security demonstration or to reproduce the 
persistent vulnerabilities follow the provided steps and information below.

PoC: Albums > name 

<div id="albums">
<ul class="column">
<li><div class="block"><a href="/rambax/album/0-x" 
title="Camera Roll (137)"><img src="/rambax/album_poster/0.jpg" 
class="photo"></a><span>Camera Roll (137)</span></div></li>
<li><div class="block">
<a href="/rambax/album/1" title="bkm"><[PERSISTENT INJECTED SCRIPT CODE!]"> 
(1)"><img src="/rambax/album_poster/1.jpg" 
class="photo"/></a><span>bkm"><[PERSISTENT INJECTED SCRIPT CODE!]> 
(1)</span></div></li>
                        </ul>
                </div>


Solution - Fix & Patch:
=======================
1.1
The first vulnerability can be patched by a secure restriction and encode of 
the send text input field with the text value parameter.
Ensure the output send text item list module only displays secure parsed, 
encoded and validated context.

1.2
The second vulnerability can be patched by a secure parse and encode of the 
file name value parameter in the Upload File POST method request.

1.3
The third vulnerability can be patched by encoding the header section with the 
title value parameter to prevent physical command injection attacks.

1.4
Encode the photo album and video names to prevent persistent script code 
injection attacks by local stored album components of the foto (photo) app.


Security Risk:
==============
1.1
The security risk of the remote code exection vulnerability is estimated as 
critical.

1.2
The security risk of the local file include web vulnerability is estimated as 
high(+).

1.3
The security risk of the local command inject web vulnerability is estimated as 
high(-).

1.4
The security risk of the persistent script code inject web vulnerabilities via 
POST method request are estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx               - admin@xxxxxxxxxxxxxxxxx
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/