Title:
======
Copy to WebDAV v1.1 iOS - Multiple Web Vulnerabilities


Date:
=====
2013-08-08


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1044


VL-ID:
=====
1044


Common Vulnerability Scoring System:
====================================
8.9


Introduction:
=============
Copy to WebDAV is designed for use with iWork`s app, which allows you get document from your Keynote, Numbers and Pages 
apps on your iPhone, iPad or iPod Touch, then you can read, edit and share with other more professional apps.

Copy to WebDAV is running as an local WebDAV and HTTTP Server for iPhone / iPad, it lets you upload / download documents 
to this virtual server directly by any web browser(IE, Safari, Firefox…) or webdav client from Mac / PC, such as Cyberduck. 
However, your safari, some webdav client iPhone / iPad apps can find this virtual server too. 

(Copy of the Homepage: https://itunes.apple.com/de/app/copy-to-webdav-virtual-webdav/id505898859 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Copy to WebDAV v1.1 application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-08-08:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Copy to WebDAV - Mobile Application 1.1


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A file include web vulnerability is detected in the Copy to WebDAV v1.1 mobile application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload files with manipulated filename value in the POST method request.
The attacker can inject local files or path to request own context and compromise the mobile device. The validation has a bad side effect 
which impacts the risk to combine the attack with persistent injected script code.

Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. 
Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application.

Vulnerable Application(s):
        [+] Copy to WebDAV v1.1 - ITunes or AppStore (Apple)

Vulnerable Module(s):
        [+] Upload (Files) - (http://localhost:8080)

Vulnerable Parameter(s):
        [+] filename 

Affected Module(s):
        [+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Copy to WebDAV v1.1 mobile application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and 
extension image.jpg.js.php.jpg . At the end the attacker deletes in the request after the upload the jpg to access unauthorized the malicious 
file (web-shell) to compromise the web-server or mobile device.

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Vulnerable Application(s):
        [+] Copy to WebDAV v1.1 - ITunes or AppStore (Apple)

Vulnerable Module(s):
        [+] Upload (Files) - (http://localhost:8080)

Vulnerable Parameter(s):
        [+] filename (multiple extensions)

Affected Module(s):
        [+] Index File Dir Listing


1.3
A local command/path injection web vulnerability is detected  in the Copy to WebDAV v1.1 application (Apple iOS - iPad & iPhone).
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.

The vulnerability is located in the index file dir listing module when processing to request and list the ipad or iphone devicename.
Local attackers can change the name of the device to inject the code and request any local path or inject commands on application-side.
The malicious context with the path request executes when a user or victim is watching the file dir index listing.

Exploitation of the web vulnerability requires a local privilege iOS device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.

Vulnerable Application(s):
        [+] Copy to WebDAV v1.1  - ITunes or AppStore (Apple)

Vulnerable Parameter(s):
        [+] device name

Affected Module(s):
        [+] Index File Dir Listing



Proof of Concept:
=================
1.1
The local file/path include web vulnerability can be exploited by remote attackers without privilege application user account and 
also without user interaction. For demonstration or reproduce ...


POSTDATA =-----------------------------91441013715855 1
Content-Disposition: form-data; name="file"; filename="<../var/mobile/[File/Path Include Vulnerability]>ben37.png"
Content-Type: image/png
URL=http://localhost:8080/#

PoC: Upload > Filename - INDEX File Dir Listing

<p>
<a href="..">Documents/..</a><br>
<a href="../var/mobile/[File/Path Include Vulnerability]>ben37.png"><../var/mobile/[File/Path Include Vulnerability]">ben37.png</a>  
<font size="1" style="color:gray">(51.8K, 2013-08-07 22:35)</font><br />
<a href="SampleFiles.zip">SampleFiles.zip</a>  
<font size="1" style="color:gray">(2.2M, 2012-04-18 21:58)</font><br />
</p>
<form action="#" method="post" enctype="multipart/form-data" name="form1" 
id="form1" onSubmit="return check_file();return false;">
<label>Upload file :
<input type="file" name="file" id="file" />
</label>
<label>
<input type="submit" name="button" id="button" value="Submit" />
</label>
</form>


Note: Remote attackers can unauthorized include files or path requests by manipulation of the filename value in 
the upload POST method request.



1.2
The arbitrary file upload vulnerability can be exploited by remote attackers without privilege application user account 
and also without user interaction. For demonstration or reproduce ...

Standard:
http://192.168.2.104:8080/file.gif


Mnaipulation via Upload (POST to GET)
POSTDATA =-----------------------------2202266615234
Content-Disposition: form-data; name="file"; filename="arbitrary-file-upload.png.txt.iso.js.html.php.gif"
Content-Type: image/gif
URL=http://localhost:8080/#


GET http://localhost:8080/arbitrary-file-upload.png.txt.iso.js 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[0] 
Mime Type[application/x-unknown-content-type]
   

Request Headers: 
Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]

Connection[keep-alive]
Response Headers:
Content-Length[0]

Date[Mi., 07 Aug 2013 21:05:13 GMT]


Status=200


PoC:
http://localhost:8080/arbitrary-file-upload.png.txt.iso.js


Note: After the manipulation of the post method request the attacker can execute the files by a delete of the picture extensions.
Attackers can for example upload a webshells as regular image to the webserver and execute the webshell by a visit.



1.3
The local command inject web vulnerability can only be exploited by local attackers with physical device access without user interaction.
For demonstration or reproduce ...

PoC: <body onLoad=alertSuccess()> <h1>Files from ipad'[LOCAL COMMAND/PATH INJECT VULNERABILITY VIA DEVICENAME]</h1>

Reference(s): http://localhost:8080/x

Note: The local attacker can change the device name to inject own command and path. The result with the execution will be visible 
in the header section of the file dir index and sub folders.



Solution:
=========
1.3
The local command inject vulnerability can be patched by a secure encoding of the devicename output listing in the index and sub folder listings.

1.1 - 1.2
The arbitrary file upload and file/path include vulnerabilities can be patched by a secure filter and parse of the filenames in the POST method request (upload).
As secound stept the output listing needs to be encoded and parsed in a secure way to disallow execution of malicious context.
The third step will be to allow only one extension inside of the upload and validation procedure. It is also required to secure the access rights 
when processing to load with local context other frame with files. 


Risk:
=====
1.1
The security risk of the local command inject web vulnerability is estimated as medium.

1.2
The security risk of the local file include web vulnerability is estimated as high(+).

1.3
The security risk of the arbitrary file upload web vulnerability is estimated as critical.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com             - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com          - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev   - forum.vulnerability-db.com            - magazine.vulnerability-db.com
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab          - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2013 | Vulnerability Laboratory [Evolution Security]


-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com