Document Title:
===============
FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1170
Release Date:
=============
2013-12-16
Vulnerability Laboratory ID (VL-ID):
====================================
1170
Common Vulnerability Scoring System:
====================================
8.2
Product & Service Introduction:
===============================
FileMaster is a file manager, downloader, document viewer, video/audio player, text editor, wifi drive, and more
for iPhone, iPad & iPod Touch. Transfer files from your computer, carry them around with you, and share them with
your friends. Using FileMaster is easy. Just long-press on a file or folder icon to display a popup menu.
Simply tap your selection and you’re ready to go. You can tap on the screen to copy, paste, create folders and so on.
There’s no need to worry about the security of FileMaster, either. Your files can be accessed remotely with a password
or locally with a master passcode. No one but you will see what’s in your FileMaster. With FileMaster, you can easily
share files with your friends (peer-to-peep only) using Bluetooth.
(Copy of the Homepage: https://itunes.apple.com/en/app/filemaster-file-manager-downloader/id582219355 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Shenzhen Youmi IT Co. Ltd - FileMaster v3.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2013-12-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shenzhen Youmi Information Technology Co. Ltd
Product: FileMaster - File Manager & Downloader (Mobile Application) 3.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.2
A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to
compromise the web-application or device.
The remote file include web vulnerability is located in the vulnerable `filename` value of the `start upload` module (web interface). Remote attackers
can manipulate the POST method request of `filename` value in the `start upload` module to compromise the mobile application. The attack vector is
persistent and the request method is POST. The local file/path include execute occcurs in the main `file dir index` list.
A secound possibility to execute the payload by usage of the compress function. After the payload with a non executable has been injected the
attacker can use the compress function to generate a .zip package. The generated zip executes the payload in the filename itself and affects
the main index listing too. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability
scoring system) count of 8.1(+)|(-)8.2.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application or connected device component compromise by unauthorized local
file include web attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Start Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8000)
1.2
A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to
compromise the web-application or device.
The remote file include web vulnerability is located in the vulnerable `folder/path` value of the `Create Folder` module (web interface).
Remote attackers can inject own local file requests or system specific path commands as `folder name`. The request method is POST and the
attack vector is persistent. The local file/path include execute occcurs in the main `file dir index` list. The security risk of the local
file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.0(+)|(-)8.1.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the local web vulnerability results in application or device compromise by unauthorized local file include attacks.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] folder to path
Affected Module(s):
[+] Index Folder Dir List (http://localhost:8000)
1.3 (1.1)
An arbitrary file upload web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server filter or system validation.
The vulnerability is located in the `start upload` module. Remote attackers are able to upload a php or js web-shells by a rename of the original file
with multiple extensions to bypass the file restriction or upload filter mechanism. The attacker uploads for example a web-shell with the following
name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif
file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated
as high with a cvss (common vulnerability scoring system) count of 7.0(+)|(-)7.1.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of for example web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Start Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir List (http://localhost:8000)
Proof of Concept (PoC):
=======================
1.1
The first file include web vulnerability can be exploited by remote attackers without privileged web-application user account and user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
Manual reproduce of the vulnerability ...
1. Install and start the app (iphone or ipad)
2. Start your web browser and open the following local standard web-server url ( http://localhost:8000 )
3. Start to tamper your web session in the browser and click the `Start Upload` button
4. Choose a file and manipulate the filename value by exchange with your own payload (local file request)
5. After the request has been stored in the app you only refresh the index listing
6. Now, the first local file request execute occurs in the index listing
Note: Now, we let the system generate a compressed file with the same payload to execute the malicious request as filename value
6. Open the item listing and click in the file option menu the file `compress` (Packen) button
7. The local file include executes in the upload path of the file
8. Successful reproduce of the vulnerability!
PoC: filename (compress)
| 
>"<[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].zip">
>"