Twenty Year Anniversary

VLC Media Player iOS App 2.7.8 File Disclosure

VLC Media Player iOS App 2.7.8 File Disclosure
Posted Sep 15, 2017
Authored by Ahmad Ramadhan Amizudin | Site sec-consult.com

VLC Media Player iOS application version 2.7.8 suffers from a file disclosure vulnerability.

tags | exploit
systems | cisco, ios
MD5 | 617910a26e18078b120c91cf74d082b0

VLC Media Player iOS App 2.7.8 File Disclosure

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20170913-1 >
=======================================================================
title: Local File Disclosure
product: VLC media player iOS app
vulnerable version: 2.7.8
fixed version: 2.8.1
CVE number: -
impact: Medium
homepage: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8
found: 2017-08-22
by: Ahmad Ramadhan Amizudin (Office Malaysia)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"VLC is a free and open source cross-platform multimedia player and framework
that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various
streaming protocols."

Source: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Business recommendation:
------------------------
The identified vulnerability allows attackers to steal arbitrary files
(accessible by the app) from the mobile device.

SEC Consult recommends not to enable "Sharing over WiFi" feature in VLC
for iOS which allows wireless file transfer to/from PC until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Local file disclosure
The 'Sharing over WiFi' feature in VLC for iOS is vulnerable to a local file
disclosure vulnerability. An attacker can read any files which can be accessed
with current application privileges. This issue can lead to data theft.


Proof of concept:
-----------------
1) Local file disclosure
The example below shows how the LFD vulnerability can be exploited.

URL : http://$IP:$PORT/download/<path-to-file-or-folder>
METHOD : GET
EXAMPLE : http://$IP:$PORT/download//etc/passwd


The source code excerpt below shows the vulnerable code of the mobile app:

VULN. FILE : Sources/VLCHTTPConnection.m
VULN. CODE :
[...]
- (NSObject<HTTPResponse> *)_httpGETDownloadForPath:(NSString *)path
{
NSString *filePath = [[path stringByReplacingOccurrencesOfString:@"/download/"
withString:@""]stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
HTTPFileResponse *fileResponse = [[HTTPFileResponse alloc]
initWithFilePath:filePath forConnection:self];
fileResponse.contentType = @"application/octet-stream";
return fileResponse;
}
[...]


Vulnerable / tested versions:
-----------------------------
VLC version 2.7.8 has been tested on iOS 10.3.3 and found to be vulnerable.


Vendor contact timeline:
------------------------
2017-08-23: Contacting vendor through email
2017-08-23: Vendor replied, they are looking at it
2017-09-05: Asked for a status update from the vendor
2017-09-09: Vendor released patch in version 2.8.1
2017-09-13: Public release of advisory


Solution:
---------
Upgrade to the latest version available:
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Workaround:
-----------
Disable the 'Sharing over WiFi' feature.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2017

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close