SEC Consult Vulnerability Lab Security Advisory < 20170913-1 >
=======================================================================
              title: Local File Disclosure
            product: VLC media player iOS app
 vulnerable version: 2.7.8
      fixed version: 2.8.1
         CVE number: -
             impact: Medium
           homepage: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8
              found: 2017-08-22
                 by: Ahmad Ramadhan Amizudin (Office Malaysia)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"VLC is a free and open source cross-platform multimedia player and framework
that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various
streaming protocols."

Source: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Business recommendation:
------------------------
The identified vulnerability allows attackers to steal arbitrary files
(accessible by the app) from the mobile device.

SEC Consult recommends not to enable "Sharing over WiFi" feature in VLC
for iOS which allows wireless file transfer to/from PC until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Local file disclosure
The 'Sharing over WiFi' feature in VLC for iOS is vulnerable to a local file
disclosure vulnerability. An attacker can read any files which can be accessed
with current application privileges. This issue can lead to data theft.


Proof of concept:
-----------------
1) Local file disclosure
The example below shows how the LFD vulnerability can be exploited.

URL     : http://$IP:$PORT/download/<path-to-file-or-folder>
METHOD  : GET
EXAMPLE : http://$IP:$PORT/download//etc/passwd


The source code excerpt below shows the vulnerable code of the mobile app:

VULN. FILE : Sources/VLCHTTPConnection.m
VULN. CODE :
[...]
- (NSObject<HTTPResponse> *)_httpGETDownloadForPath:(NSString *)path
{
    NSString *filePath = [[path stringByReplacingOccurrencesOfString:@"/download/"
withString:@""]stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    HTTPFileResponse *fileResponse = [[HTTPFileResponse alloc]
initWithFilePath:filePath forConnection:self];
    fileResponse.contentType = @"application/octet-stream";
    return fileResponse;
}
[...]


Vulnerable / tested versions:
-----------------------------
VLC version 2.7.8 has been tested on iOS 10.3.3 and found to be vulnerable.


Vendor contact timeline:
------------------------
2017-08-23: Contacting vendor through email
2017-08-23: Vendor replied, they are looking at it
2017-09-05: Asked for a status update from the vendor
2017-09-09: Vendor released patch in version 2.8.1
2017-09-13: Public release of advisory


Solution:
---------
Upgrade to the latest version available:
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Workaround:
-----------
Disable the 'Sharing over WiFi' feature.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Ahmad Ramadhan / @2017