[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] SeasonApps iTransfer 1.1 - Persistent UI Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] SeasonApps iTransfer 1.1 - Persistent UI Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 07 Nov 2014 14:30:42 +0100
Document Title:
===============
SeasonApps iTransfer 1.1 - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1347


Release Date:
=============
2014-10-27


Vulnerability Laboratory ID (VL-ID):
====================================
1347


Common Vulnerability Scoring System:
====================================
2.5


Product & Service Introduction:
===============================
Do you want to access your PhotoLibrary`s file on the website? Do you want to 
transfer files from PC to iDevice easily and 
read or send them every where? So the iTransfer will give all these to you.

1. You can get all photos and videos in the Photo Library of your device.
2. Wifi Sharing! These make our life more easy, Isn`t it?
3.A file box for you that you can store and get files on the document 
dictionary of the App. also you can manage the files via Wifi Sharing !
4. Supper File Manager, you can open files with document format as 
pdf,doc,ppt,txt,rtf,png,jpg… and media format as mp3,mp4 and so on.
5.Zip and Unzip which will make you manage your local files early.
6.You can share the files to your friend with email.
7. You can access the files on this app via USB and iTunes.
8.Support for iOS7
9.Add upload feature to Library sharing, you can upload image to your photo 
library now.
10.Add file manage feature to the Local Sharing, just like create dictionary 
and delete files(dictionary)
11.Add Authentication feature to he sharing feature, you can safe browse your 
sharing right now!
12.Add feedback feature, please give us your advice or your bug to us. thanks! 

(Copy of the Homepage: 
https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input 
validation vulnerability in the official iTransferPro v1.1 iOS mobile 
application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SeasonApps iTransfer
Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in 
the official SeasonApps iTransferPro v1.1 iOS mobile application.
The vulnerability allows a local attacker to inject own script code as payload 
to the application-side of the vulnerable service function or module.

The vulnerability is located in the albumname value. Local attackers with low 
privileged device user accounts are able to manipulate the albumname 
values by usage of the wifi sync function in the `Share Photo Library` module. 
The attack vector is persistent on the application-side and the request 
method to inject is a app sync. The issue allows to stream persistent malicious 
script codes to the front site of the wifi photo library interface.

The security risk of the application-side web vulnerability is estimated as 
medium with a cvss (common vulnerability scoring system) count of 2.5.
Exploitation of the application-side web vulnerability requires a low 
privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing 
mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module 
context.

Request Method(s):
                                        [+] Sync

Vulnerable Module(s):
                                        [+] Share Photo Library

Vulnerable Parameter(s):
                                        [+] items - group (albumname)

Affected Module(s):
                                        [+] Wifi Interface - Share Photo 
Library Index (http://localhost:8888/)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local 
attackers with low privileged device user account and low or medium user 
interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

PoC: Wifi Interface - Share Photo Library Index (http://localhost:8888/)

<html><head><meta name="viewport" content="width=device-width, 
initial-scale=1.0" 
http-equiv="Content-Type"><title>iTransfer</title><style>html 
{background-color:#eeeeee} body { background-color:#FFFFFF; 
font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%; 
margin-right:5%; border:3px groove #006600; padding:15px; } 
</style></head><body><h2>Enjoy  iTransfer</h2>
<bq>You Can Access Files of your Photo Library Now :)</bq><script 
type="text/javascript" src="/jquery.js"></script>         
<script type="text/javascript" src="/fileuploader.js"></script>         <link 
href="fileuploader.css" rel="stylesheet" 
type="text/css"><p></p><div id="file-uploader-div"><div 
class="qq-uploader"><div style="display: none;" class="qq-upload-drop-area">
<span>drop files here to upload</span></div><div style="position: relative; 
overflow: hidden; direction: ltr;" class="qq-upload-button">upload a file
<input style="position: absolute; right: 0px; top: 0px; font-family: Arial; 
font-size: 118px; margin: 0px; padding: 0px; cursor: pointer; opacity: 0;" 
name="file" multiple="multiple" type="file"></div><ul 
class="qq-upload-list"></ul></div></div><p></p><script language="javascript">   
                          
$(function(){                               var uploader = new 
qq.FileUploader({                               
element:document.getElementById("file-uploader-div"),                           
   
 action: "/",                               
debug: false,                               
allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"],                       
        
template: '<div class="qq-uploader">' +                                
'<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' 
+                               
'<div class="qq-upload-button">upload a file</div>' +                           
    
'<ul class="qq-upload-list"></ul>' +                                '</div>',   
                            });                               });
</script><br><label color="red"><font size="2" color="red">(Notice: The 
pictures you upload will appear when you share the photo library next 
time)</font></label>
<br><link href="/bootstrap.css" rel="stylesheet">         <script 
src="/bootstrap.min.js"></script><h3>All Groups</h3><ul class="thumbnails"><li 
class="span2">
<div class="thumbnail" style="text-align: center;">
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
<img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150">
<span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE 
EXECUTION!] 1items</span></a></div>
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a></li><li class="span2"><a target="_blank" 
href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><div class="thumbnail" style="text-align: center;"><a target="_blank" 
href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
<img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150">
<span stype="white-space: nowrap;">Photos 3items</span>
</a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
</a></li></ul></body></html>


Reference(s):
http://localhost:8888/
http://localhost:8888/group/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the 
foldername/albumname input fields.
Encode the input and parse the output of the name values in the wifi interface 
to prevent persistent script code executions.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in 
the wifi interface is estimated as medium(-). (CVSS 2.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2014 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] Insecure management of login credentials in PicsArt Photo Studio for Android [STIC-2014-0426]
Next by Date: [FD] BookFresh - Persistent Clients Invite Vulnerability
Previous by thread: [FD] Insecure management of login credentials in PicsArt Photo Studio for Android [STIC-2014-0426]
Next by thread: [FD] BookFresh - Persistent Clients Invite Vulnerability
Index(es):
- Date
- Thread