Document Title: =============== SimplyShare v1.4 iOS - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1181 Release Date: ============= 2014-01-28 Vulnerability Laboratory ID (VL-ID): ==================================== 1181 Common Vulnerability Scoring System: ==================================== 9.2 Product & Service Introduction: =============================== SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer. Store, manage and view MS Office, iWork, PDF files and many more features Share Files, Photos or Videos: - Transfer any number of files, photos or videos with any size to other iOS devices (iPhone, iPod Touch and iPad) via Wi-Fi - Download files, photos or videos with any size to your computer via Wi-Fi - Upload multiple files, photos or videos with any size from your computer to your device via WiFi - Transfer your files via USB cable (iTunes sync) - View all your photo albums, videos and files on your device from a computer - Preserves all photos metadata after transfer - Slideshow all the photos of an album on a computer (on web browser) - Display your photos on other iOS devices without transfer/saving them - Send a short/quick text message from your computer or other iOS devices to your own iDevice - Email files or photos from your device Download Files from Internet: - Download files browsing the Internet - Tap & Hold on any link or photos to save them in SimpyShare app - Any webpage you visit, SimplyShare automatically generates all the links to supported files (MS Office, iWork, PDF documents etc). Then you can download them by just a single tap. - Download images automatically by simply tapping on any image in the webpage File Manager: - Open or Print Microsoft Office documents (Office ‘97 and newer) - Open or Print iWork documents - View or Print PDF files, Images, RTF documents, CSV, HTML and Text files - Play Audio and Video files - Move, Copy delete files/folder or create new folders - Save images or videos to Photos Album - Ability to create folders and organize the files within the folders - iTunes USB sharing ... ( Copy of the Homepage: https://itunes.apple.com/en/app/simply-share/id399197227 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official SimplyShare v1.4 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2013-01-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple AppStore Product: Rambax, LLC - SimplyShare 1.4 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ 1.1 A critical remote code execution web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. Remote attackers are able to execute own system specific codes to compromise the affected web-application or the connected mobile device. The remote vulnerability is located in the vulnerable `text` value of the `Send Text` module. Remote attackers can use the prompt send text input to direct execute system codes or malicious application requests. The send text input field has no restrictions or secure encoding to ensure direct code executes are prevented. After the inject the code execution occurs directly in the send text module item list. The security risk of the remote code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.2(+)|(-)9.3. Exploitation of the code execution vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Send Text Vulnerable Parameter(s): [+] text Affected Module(s): [+] Access from Computer (Send Text Index List - Text Name & Context) 1.2 A local file/path include web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application or mobile device. The local file include web vulnerability is located in the vulnerable `filename` value of the `upload files` module (web-interface). Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execute occcurs in the main file to path section after the refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.7(+)|(-)7.8. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized local file include web attacks. Request Method(s): [+] [POST] Vulnerable Input(s): [+] Upload Files Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Access from Computer (File Dir Index List - Folder/Category to path=/) 1.3 A local command/path injection web vulnerability has been discovered in the official SimplyShare v1.4 iOS mobile web-application. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile web-application. The vulnerability is located in the in the title value of the header area. Local attackers are able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 6.2(+)|(-)6.3. Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests. Request Method(s): [+] [GET] Vulnerable Value(s): [+] devicename Vulnerable Parameter(s): [+] value to title Affected Module(s): [+] Access from Computer (File Dir Index List) - [Header] 1.4 Multiple persistent input validation web vulnerabilities has been discovered in the official SimplyShare v1.4 iOS mobile web-application. The bug allows remote attackers to implement/inject own malicious persistent script codes to the application-side of the vulnerable app. The vulnerability is located in the `name` value of the internal photo and video module. The vulnerability can be exploited by manipulation of the local device album names. After the local attacker with physical access injected the code to the local device foto app menu, he is able to execute the persistent script codes on the application-side of the mobile app device. The security risk of the persistent script code inject web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.8(+)|(-)3.9. Exploitation of the persistent web vulnerabilities requires low user interaction and no privileged web-application user account with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent manipulation of module context. Vulnerable Module(s): [+] Video Folder Name [+] Photos Folder Name Vulnerable Parameter(s): [+] album name values Affected Module(s): [+] Access from Computer (Photos & Videos Module) Proof of Concept (PoC): ======================= 1.1 The remote code execution vulnerability can be exploited by remote attackers without user interaction or privileged web-application user account. For security demonstration or to reproduce the remote code execution vulnerability follow the provided steps and information below. PoC: Send Text --- PoC Session Logs [GET] --- 14:13:14.499[93ms][total 1294ms] Status: 200[OK] GET http://192.168.2.109/?path=/Texts Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[6608] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.109] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.109/] Connection[keep-alive] Cache-Control[max-age=0] Response Headers: Accept-Ranges[bytes] Content-Length[6608] Date[Do., 23 Jan. 2014 13:20:09 GMT] 14:13:14.612[33ms][total 33ms] Status: 200[OK] GET http://192.168.2.109/rambax/server/jquery-ui-1.8.5.custom.css Load Flags[VALIDATE_ALWAYS ] Content Size[22041] Mime Type[text/css] Request Headers: Host[192.168.2.109] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0] Accept[text/css,*/*;q=0.1] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.109/?path=/Texts] Connection[keep-alive] Cache-Control[max-age=0] Response Headers: Accept-Ranges[bytes] Content-Length[22041] Content-Type[text/css] Date[Do., 23 Jan. 2014 13:20:09 GMT] 1.2 The file include web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account. For security demonstration or to reproduce the file/path include web vulnerability follow the provided steps and information below. PoC: Upload Files - Filename 1.3 The local command inject web vulnerability can be exploited by remote attackers without user interaction and privileged web-application user account. Physical device access or resource access is required to exploit the local command inject vulnerability. For security demonstration or to reproduce the local command inject vulnerability follow the provided steps and information below. PoC: Title - Header
bkm¥337[LOCAL COMMAND INJECT VULNERABILITY VIA DEVICE NAME VALUE]
Name Date Size
..
"<<>"<">[REMOTE CODE EXECUTION VULNERABILITY!] s="" 137.txt"="" filesize="550"> "<<>"<"><[REMOTE CODE EXECUTION VULNERABILITY!] 137.txtJan. 23, 2014 14:070.5 KB
[FILE INCLUDE VULNERABILITY VIA FILENAME] Jan. 23, 2014 14:040.7 KB