Wifi Photo Transfer 2.1 / 1.1 PRO LFI / XSS / Command Injection

2013-05-13T00:00:00
ID PACKETSTORM:121599
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2013-05-13T00:00:00

Description

                                        
                                            `Title:  
======  
Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities  
  
  
Date:  
=====  
2013-04-21  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=932  
  
  
VL-ID:  
=====  
932  
  
  
Common Vulnerability Scoring System:  
====================================  
6.1  
  
  
Introduction:  
=============  
Easily access your photo libraries via wifi from any computer with a web browser! Just start the app and enter the   
displayed address into the address bar of your browser. Works with any computer that has a modern browser (like desktop   
or portable computers, iPads, or even an other iPhone) and is on the same wifi network as your phone, iPod or iPad.  
  
- You can select and transfer multiple photos at once  
- EXIF metadata is retained in mass-download mode (not in one-by-one mode)  
- Optional password protection for the web interface  
- Can also be used to download videos  
- Transfer in full resolution or scaled down  
- No extra software required  
  
(Copy of the Homepage: #1 https://itunes.apple.com/de/app/wifi-photo-transfer-pro/id587468262)  
(Copy of the Homepage: #2 https://itunes.apple.com/de/app/wifi-photo-transfer/id380326191)  
  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.  
  
  
Report-Timeline:  
================  
2013-04-22: Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Apple AppStore  
Product: Wifi Photo Transfer 2.1 & 1.1 Pro  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
1.1  
A local command injection web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.   
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.  
  
The vulnerbility is located in the index module when processing to load the ipad or iphone device album names. Local attackers can   
change the ipad or iphone device photo album names to system specific commands and file requests to provoke the execution when   
processing to watch the main index listing. The execution of the script code occurs in the album name web context.  
  
Exploitation of the web vulnerability does not require an application user account (standard) or user interaction.  
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.  
  
  
Vulnerable Application(s):  
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)  
  
Vulnerable Module(s):  
[+] Index  
  
Vulnerable Parameter(s):  
[+] album name - iPad or iPone  
  
Affected Module(s):  
[+] Index Listing - Album  
  
  
  
1.2  
A local file include and arbitrary file upload vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.   
The vulnerability allows remote attackers via POST method to include unauthorized remote files on the affected webserver file system.  
  
Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to   
upload via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the   
secound step by usage of the directory webserver dir listing to compromise the apple iphone or ipad.  
  
Exploitation of the local file include web vulnerability does not require user interaction and also no application user account.   
Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file   
include or unauthorized web-server file (webshell) upload attacks.  
  
  
Vulnerable Application(s):  
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)  
  
Vulnerable Module(s):  
[+] Compressing archiv to zip  
  
Vulnerable Parameter(s):  
[+] lib (cat)  
[+] sel (selection)  
  
Affected Module(s):  
[+] File Dir Album Index - Listing  
  
  
  
  
1.3  
An information disclosure and information leak misconfiguration is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.  
The reported vulnerability allows remote attackers to access unauthorized web-server photos or web-server files by exploitation of a misconfiguration.  
  
The secound vulnerability is located in the upload file script of the webserver (http://localhost:2323/) when processing to download with   
a manipulated POST method request all available path files. The attacker can manipulate the lib and sel values in the POST request to download   
unauthorized not accessable photo files. After the iphone or ipad user allowed one time to access the iOS photo service anybody can also   
access not implemented files from the same service folder.  
  
Exploitation of the information disclosure web vulnerability does not require user interaction or an application user account.   
Successful exploitation of the information disclosure app vulnerability results in unauthorized photo and webserver file access.  
  
  
Vulnerable Application(s):  
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)  
  
Vulnerable Module(s):  
[+] compressprogress  
  
Vulnerable Parameter(s):  
[+] filename  
  
Affected Module(s):  
[+] zipdownload  
  
  
  
  
1.4  
A client side cross site scripting web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.  
The vulnerability allows remote attackers to form manipulated urls to inject script code on client side application requests.  
  
The client side cross site scripting web vulnerability is located in the path section when processing to request the images via GET with a   
manipulated filename (value) parameter. The vulnerability occurs when a remote attacker is changing the requested file to own script code.   
The request will be executed on client side of the victims browser. The app displays any non existing path with a file request without secure   
encoding which results in the execution of the script code out of the exception error message.  
  
Exploitation of the vulnerability does not require an application user account but low or medium user interaction.  
Successful exploitation results in client side cross site requests, unauthorized external redirects, client side phishing,   
client side session hijacking and client side module context manipulation.  
  
Vulnerable Application(s):  
[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)  
  
Vulnerable Module(s):  
[+] Path Folder  
  
Vulnerable Parameter(s):  
[+] filename (*.html)  
  
  
  
Proof of Concept:  
=================  
1.1  
The local command injection web vulnerability can be exploited by remote attackers without an application user account   
and without user interaction. For demonstration or reproduce ...  
  
Manually steps to reproduce ... Command Inject via Foldername  
  
1. Install the application from itunes or directly from the appstore  
2. Open the service and make the webserver available via http  
3. Now open for example your iphone or ipad device to sync  
4. Open on your device the standard albums in photos  
5. Change the name of one of your standard album to a path command inject string  
6. Open another device and access the index listing of the application after the album sync  
7. The code will be executed out of the main album name listing  
8. Successful reproduced ...!  
  
  
PoC: List of image libraries.htm  
  
<div class="span5" style="position:absolute;top:50%;margin-top:-10px;">  
<div style="margin-left:30px;"><a href="http://192.168.2.104:2323/1/"   
style="font-size:18px;font-weight:bold;">>%20>"<[<COMMAND/PATH INJECTION>]"List%20of%20image%20libraries_files/x.htm">  
<><>>%20>"<[<COMMAND/PATH INJECTION>]></a></div>  
</div>  
<div class="span3" style="text-align:center;">   
<img class="thumbnail" src="/1/tn_0.jpg"   
alt="" style="max-width:150px;max-height:150px;"/>  
  
  
  
1.2  
The local file web vulnerability can be exploited by remote attackers without an application user account   
and also without user interaction. For demonstration or reproduce ...  
  
Manually steps to reproduce ... File Include Vulnerability  
  
1. Start your session tamper tool or wireshark on your computer  
2. Install the application on the ipad or iphone device  
3. Start to tamper the http session or filter the http pakets via wireshark  
4. Start the application on your ipad or iphone  
5. Open with a external device (computer > browser) the application  
6. Now process to upload via form a image and hold a request via tamper or record the paket for a secound request  
7. Include atfer choosing a random image a webshell and include (upload) it with a double or tripple (*.php.jpg.gif or *.html.gif) extension  
8. After the upload you only need to refresh the album index and try to request via selection and lib parameter the file  
9. The webshell got unauthorized uploaded and is accessable to compromise the device or app  
10. Successful reproduced!  
  
--- POST REQUEST METHOD ---  
lib[2]  
> sel[0,1,2,3,4,5,6,7,8,9] > (Selection Page)  
  
  
  
1.3  
The information disclosure misconfiguration bug can be exploited by remote attackers without an application user account   
and without user interaction. For demonstration or reproduce ...  
  
Manually steps to reproduce ... Information Disclosure Misconfiguration  
  
1. Start your session tamper tool or wireshark on your computer  
2. Install the application on the ipad or iphone device  
3. Start to tamper the http session or filter the http pakets via wireshark  
4. Start the application on your ipad or iphone  
5. Open with a external device (computer > browser) the application  
6. Press Download zip compressed (http://localhost:2323/startcompressing)  
7. Hold the secound request after the lib and sel POST values has been requested  
8. Watch the content of the request and exchange the images the service requested with the images you want to request (example DIM2736.jpg)  
9. The images you included will be loaded in the zip compressed folder even if the selection was another one  
10. Successful reproduced ... the attacker can now access the images by using the vulnerable iOS app  
  
Compressing archive to zip (http://localhost:2323/startcompressing)  
  
  
Reference(s):  
http://localhost:2323/compressprogress5343040?KXVLHQUDKOURRJHC  
http://localhost:2323/zipdownload/KXVLHQUDKOURRJHC/images.zip  
  
  
  
1.4  
The client side cross site scripting web vulnerability can be exploited by remote attackers without an application user account   
and with medium or high required user interaction. For demonstration or reproduce ...  
  
PoC:  
http://localhost:2323/1/tester23/vulnerabilitylab.html%3E%22%3Ciframe%20src=a%3E#7062267329013816800  
  
  
Risk:  
=====  
1.1  
The security risk of the local command injection web vulnerability is estimated as high(-).  
  
1.2  
The security risk of the file include / arbitrary file upload vulnerability is estimated as high(+).  
  
1.3  
The security risk of the information disclosure misconfiguration bug is estimated as medium.  
  
1.4  
The security risk of the client side cross site scripting web vulnerability is estimated as low(+).  
  
  
Credits:  
========  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register  
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com  
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.  
  
Copyright © 2013 | Vulnerability Laboratory  
  
--   
VULNERABILITY RESEARCH LABORATORY  
LABORATORY RESEARCH TEAM  
CONTACT: research@vulnerability-lab.com  
  
`