Mobile Atlas Creator 1.9.12 Command Injection

2013-07-05T00:00:00
ID PACKETSTORM:122298
Type packetstorm
Reporter Ateeq ur Rehman Khan
Modified 2013-07-05T00:00:00

Description

                                        
                                            `Title:  
======  
Mobile Atlas Creator 1.9.12 - Persistent Command Injection Vulnerability  
  
  
Date:  
=====  
2013-06-11  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=970  
  
  
  
VL-ID:  
=====  
970  
  
  
Common Vulnerability Scoring System:  
====================================  
3.5  
  
  
Introduction:  
=============  
Mobile Atlas Creator (formerly known as TrekBuddy Atlas Creator) is an open source (GPL) program which creates offline atlases   
for GPS handhelds and cell phone applications like TrekBuddy, AndNav and other Android and WindowsCE based applications. For the   
full list of supported applications please see the features section. Additionally individual maps can be exported as one large   
PNG image with calibration MAP file for OziExplorer. As source for an offline atlas Mobile Atlas Creator can use a large number   
of different online maps such as OpenStreetMap and other online map providers.  
  
http://mobac.sourceforge.net/  
http://mobac.sourceforge.net/MOBAC/CHANGELOG.txt  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Security Team discovered a persistent vulnerability & local command path inject bug in the Mobile Atlas Creator 1.9.12 (2116) software.  
  
  
Report-Timeline:  
================  
2013-05-02: Researcher Notification & Coordination (Ateeq Khan)  
2013-05-03: Vendor Notification (MOB - Developer Team)  
2013-05-03: Vendor Response/Feedback (MOB - Developer Team)  
2013-05-29: Vendor Fix/Patch (MOB - Developer Team)  
2013-06-11: Public Disclosure (Vulnerability Laboratory)  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
MOBAC  
Product: Mobile Atlas Creator 1.9.12   
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
Medium  
  
  
Details:  
========  
Due to the fact that proper user input sanatization is not being performed, it is possible to inject user specified HTML code   
within the Atlas Mobile Creator Application. Besides HTML Injection, Local Command Path Injecton is also Possible. Other   
interesting behaviour includes that if you use <script>alert(1)</script> you will get an exception error and application will   
show you an error window. Upon further investigation, I was also able to load files from my local system where the   
application is installed.   
  
The bug exists in the Name FIeld while creating a New Atlas Map. A Malicious Attacker can save the script code as an Atlas Map   
file and send it to unknown victims. This surely makes this bug very interesting. Please also note, I was able to cause multiple   
types of exception errors while trying different payloads which means there is a possibility of multiple attack vectors through   
the same vulnerable name field.  
  
  
Vulnerable Module(s)  
[+] Create New Map  
  
Vulnerable Field(s)  
[+] Name  
  
  
Proof of Concept:  
=================  
The vulnerability can be exploited by local attackers with low privilege system user account and low user interaction.  
For demonstration or reproduce ...  
  
Manually steps to reproduce ...  
  
1) Install and open atlas software  
2) In the menu, goto Atlas -> New Atlas  
3) Use the following payload as the Atlas name >"<iframe src=http://www.vulnerability-lab.com  
4) Click OK to save the input with the non-malicious test frame  
5) Right click on the Atlas Content and click the Show Details menu button  
6) The script code with the test frame will be executed in the main software when processing to load the show details function of the main listing module.  
  
Note: If you use <script>alert(1)</script> you will get an exception error and application will show you an error window.redisplay  
  
  
Solution:  
=========  
Proper user input sanatization should be performed and all special / illegal characters should be filtered out to prevent any such / similar attacks.  
  
  
Risk:  
=====  
The security risk of the persistent input validation vulnerabilities and local command path inject vulnerabilities are estimated as medium(+)|(-)high.  
  
  
Credits:  
========  
Vulnerability Laboratory [Research Team] - Ateeq Khan (khan@vulnerability-lab.com)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register  
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com  
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.  
  
Copyright © 2013 | Vulnerability Laboratory  
  
--   
VULNERABILITY LABORATORY RESEARCH TEAM  
DOMAIN: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
  
`