iThoughts Multiple Vulnerabilities
24 March 2014
Authors: James Davis <james.p.davis@outlook.com>, Justin C. Klein Keane 

Description of Vulnerability

iThoughtsHD brings mind mapping to the iPad. Based on the award winning iThoughts for iPhone, iThoughtsHD has been designed specifically for the iPad. iThoughtsHD will import and export mindmaps to and from many of the most popular desktop mindmap applications such as MyThoughts, Freemind, Freeplane, XMind, Novamind, MindManager, MindView, ConceptDraw MINDMAP, MindGenius and iMindmap. (http://www.ithoughts.co.uk) 

iThoughtsHD contains a cross site scripting (XSS or arbitrary script injection) vulnerability (CVE-2014-1826) because it fails to sanitize the map names before display, specifically when using the WiFi browser transfer feature. 

iThoughtsHD contains a null byte injection (arbitrary file upload) vulnerability (CVE-2014-1827) because it fails to sanitize file names being uploaded through the web interface when the iThoughts web server is turned on. 

iThoughtsHD contains a denial of service vulnerability (CVE-2014-1828) because it fails to limit the the size of the file when uploading through the browser to the iThoughts web server. This could allow a malicious user to fill up all available storage space on a device. 

Systems affected

iThoughtsHD 4.19 was tested and shown to be vulnerable 

Impact

Attackers can misuse the application through the web server by performing an arbitrary script injection (XSS) attacks. Arbitrary script injection could allow an attacker to execute malicious JavaScript on browsers viewing the WiFi sharing files. Using the null byte injection vulnerability will be able to upload files of any type to the iThoughts web server, which bypasses the filters used to limit what file types can be uploaded. The denial of service vulnerability can be used to upload files of any size which could fill up device storage preventing further uploads. 

Mitigating factors

The iThoughts web server (wifi sharing) must be turned on for these vulnerabilities to be exposed 

Proof of Concept

XSS Vulnerability: 
1. Install the iThoughtsHD app on your iPad 
2. Click the plus sign on the top bar to create a new app 
3. To perform a XSS attack upload a file with the name <iframe src=javascript:alert('xss')> 
4. Once the map is created, click the sharing button on the top bar in 
5. app and select "WiFi Transfer" 
6. This will turn on the iThoughts web server 
7. A link will then appear that you can enter into your computer browser 
8. Once you navigate to the page you will see a popup containing xss 

Null Byte Injection and Arbitrary File Upload Vulnerability: 
1. Install the iThoughtsHD app on your iPad 
2. Click the sharing button on the top bar in the app and select "WiFi Transfer" 
3. This will turn on the iThoughts web server 
4. A link will then appear that you can enter into your computer browser 
5. On your desktop create a file to perform the attack newmap.html%00.txt 
6. Once the file is created navigate to the iThoughts web server 
7. Click "Browse" and select the file you just created and upload it to the web server 
8. A new map will then appear with the name newmap.html 

CVE Common Vulnerability Exposures (CVE) are numeric designations for security vulnerabilities maintained by the National Vulnerability Database (NVD), part of the National Institute of Standards and Technology (NIST) (https://nvd.nist.gov/), sponsored by the US Department of Homeland Security (DHS). The CVE identifiers ? CVE-2014-1826, CVE-2014-1827, CVE-2014-1828 have been assigned to the issues detailed in this report.