exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VLC Media Player iOS App 2.7.8 File Disclosure

VLC Media Player iOS App 2.7.8 File Disclosure
Posted Sep 15, 2017
Authored by Ahmad Ramadhan Amizudin | Site sec-consult.com

VLC Media Player iOS application version 2.7.8 suffers from a file disclosure vulnerability.

tags | exploit
systems | cisco, ios
SHA-256 | e193c871b8bfbe11c945a7f45034301f1cb2c76667721f6887a8febbaed08f57

VLC Media Player iOS App 2.7.8 File Disclosure

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170913-1 >
=======================================================================
title: Local File Disclosure
product: VLC media player iOS app
vulnerable version: 2.7.8
fixed version: 2.8.1
CVE number: -
impact: Medium
homepage: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8
found: 2017-08-22
by: Ahmad Ramadhan Amizudin (Office Malaysia)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"VLC is a free and open source cross-platform multimedia player and framework
that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various
streaming protocols."

Source: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Business recommendation:
------------------------
The identified vulnerability allows attackers to steal arbitrary files
(accessible by the app) from the mobile device.

SEC Consult recommends not to enable "Sharing over WiFi" feature in VLC
for iOS which allows wireless file transfer to/from PC until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Local file disclosure
The 'Sharing over WiFi' feature in VLC for iOS is vulnerable to a local file
disclosure vulnerability. An attacker can read any files which can be accessed
with current application privileges. This issue can lead to data theft.


Proof of concept:
-----------------
1) Local file disclosure
The example below shows how the LFD vulnerability can be exploited.

URL : http://$IP:$PORT/download/<path-to-file-or-folder>
METHOD : GET
EXAMPLE : http://$IP:$PORT/download//etc/passwd


The source code excerpt below shows the vulnerable code of the mobile app:

VULN. FILE : Sources/VLCHTTPConnection.m
VULN. CODE :
[...]
- (NSObject<HTTPResponse> *)_httpGETDownloadForPath:(NSString *)path
{
NSString *filePath = [[path stringByReplacingOccurrencesOfString:@"/download/"
withString:@""]stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
HTTPFileResponse *fileResponse = [[HTTPFileResponse alloc]
initWithFilePath:filePath forConnection:self];
fileResponse.contentType = @"application/octet-stream";
return fileResponse;
}
[...]


Vulnerable / tested versions:
-----------------------------
VLC version 2.7.8 has been tested on iOS 10.3.3 and found to be vulnerable.


Vendor contact timeline:
------------------------
2017-08-23: Contacting vendor through email
2017-08-23: Vendor replied, they are looking at it
2017-09-05: Asked for a status update from the vendor
2017-09-09: Vendor released patch in version 2.8.1
2017-09-13: Public release of advisory


Solution:
---------
Upgrade to the latest version available:
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Workaround:
-----------
Disable the 'Sharing over WiFi' feature.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2017

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close