ePhoto Transfer 1.2.1 XSS / DoS / Command Injection

2013-07-18T00:00:00
ID PACKETSTORM:122458
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2013-07-18T00:00:00

Description

                                        
                                            `Title:  
======  
ePhoto Transfer v1.2.1 iOS - Multiple Web Vulnerabilities  
  
  
Date:  
=====  
2013-07-17  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=1017  
  
  
VL-ID:  
=====  
1017  
  
  
Common Vulnerability Scoring System:  
====================================  
6.6  
  
  
Introduction:  
=============  
ePhoto Transfer lets you quickly transfer photos and videos between your iPhone, iPad, iPod Touch, Mac, PC, and   
even other non-iOS mobile devices via Wi-Fi. It turns your iPhone/iPad/iPod Touch into a USB drive from your PC   
or Mac, then all your photos and videos will be available for drag and drop. You don`t need to install any desktop   
software(even iTunes), so you can use it at home or in office. It also provides useful features to help you organize   
your photos. You can rename photos and videos, sort and search within your camera roll. You can choose which photos   
and videos to share, and set accessing password for the shared files. Transferring photos and videos over Personal   
Hotspot Wi-Fi is fully supported. It`s a universal app, download once, both your iPhone and iPad will have it.   
  
(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/ephoto-transfer/id643118163 )  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).  
  
  
Report-Timeline:  
================  
2013-07-17: Public Disclosure (Vulnerability Laboratory)  
  
  
Status:  
========  
Published  
  
  
Affected Products:  
==================  
Apple AppStore  
Product: ePhoto Transfer 1.2.1  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
1.1  
A local command/path injection web vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).  
The vulnerability allows local attackers to inject commands or path request on application -side of the vulnerable module.  
  
The vulnerability is located in the Index File Dir Listing module when processing to display manipulated Photo Picture Folder Names.  
Local attackers with physical device access can inject script code to the regular iOs photo application by renameing the visible folders.  
The attacker can save the changed foldername and to execute when accessing the index file dir listing module.  
  
Exploitation of the command injection web vulnerability does not require a privilege application user account or user interaction.   
Successful exploitation results in application-side command/path injection to unauthorized access files or to compromise the application   
or mobile device.  
  
Vulnerable Module(s):  
[+] File Dir Index  
  
Vulnerable Parameter(s):  
[+] Photo Album Name > FolderName  
  
  
1.2  
A remote denial of servicce vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).  
The denial of service vulnerability allows a remote attacker to crash, slow down, block or shutdown the mobile application core.  
  
The vulnerability is located in the upload parameter when processing to request negative large integer values as filename.  
The attacker can open the url deletes the name of an exisiting file and includes a large negative integer value. As reaction   
because of the unfiltered input the application crashs.   
  
Exploitation of the denial of service vulnerability does not require a privilege application user account or user interaction.  
Successful exploitation of the vulnerability result in a stable application crash or shutdown.  
  
Vulnerable Module(s):  
[+] Upload Files  
  
Vulnerable Parameter(s):  
[+] upload  
  
  
  
  
1.3  
A client side cross site scripting vulnerability is detected in the ePhoto Transfer v1.2.1 application (Apple iOS - iPad & iPhone).  
The input validation vulnerability allows remote attackers to manipulate browser requests by client side script code injects in the web application.   
  
The vulnerability is located in the file download module when processing to request a manipulated download parameter via GET method.  
The script code will be executed when the service is redirecting user to the file dir menu listing.  
  
Exploitation of the vulnerability does not require a privilege application user account but low or medium user interaction.  
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent malicious external redirect   
and persistent module context manipulation.  
  
Vulnerable Module(s):  
[+] Files Download  
  
Vulnerable Parameter(s):  
[+] download   
  
  
Proof of Concept:  
=================  
1.1 - Local Command/Path Injection Vulnerability  
The local command/path inject web vulnerability can be exploited by remote attackers with physical device access and without user interaction.   
For demonstration or reproduce ...  
  
PoC: Index Listing - Foldername  
<tbody xmlns="http://www.w3.org/1999/xhtml"><tr><td class="icon"><a href="..">  
<img src="/static/backToParent_icon.png"/></a></td><td class="name"><a href="..">Parent Directory</a></td>  
<td class="modifieddate"/><td class="size"/><td/></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td>  
<td class="name"><a href="/Photos/Misc Backgrounds">Misc Backgrounds</a></td><td class="modifieddate">2013-07-16 19:05</td>  
<td class="size">--</td><td class="download"/></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td>  
<td class="name">  
<a href="/Photos/Sky Lounge>"<>"%20> "<iframe src=a>">Sky Lounge>"<>"%20> "<iframe src=a></a></td>  
<td class="modifieddate">2013-07-16 19:05</td><td class="size">  
--</td><td class="download"></td></tr><tr><td class="icon"><a><img src="/static/GenericFolderIcon.png"/></a></td><td class="name"><a   
  
href="/Photos/Aufnahmen">Aufnahmen</a></td><td class="modifieddate">2013-07-16 19:05</td><td class="size">--  
</td><td class="download"/></tr></tbody>  
  
Note: The foldername can be changed in the Photo App of iOS. The execution of the command or path request will be in the main index file dir listing.  
  
  
1.2 - Denial of Service  
The remote denial of service vulnerability can be exploited by remote attackers without privilege application user account and also   
without user interaction. For demonstration or reproduce ...  
  
  
http://localhost:8080/Photos/Misc%20Backgrounds?upload=-99999999  
  
Note: After opening the upload parameter with negative large integer value the service will crash because of a memory corruption.  
  
  
1.3 - Client Side Cross Site Scripting  
The client site cross site scripting web vulnerability can be exploited by remote attackers without application user account and low or   
medium user interaction. For demonstration or reproduce ...  
  
PoC:   
http://localhost:8080/PermissionNotes(PleaseRead).pdf?download=1&download=2+<iframe src=http://www.vuln-lab.com>  
  
Note: To execute the client side script code an existing file is required to request the download parameter.  
The pdf file mentioned in the poc is a default file and ever available after the installation of the iOS app.  
  
  
Solution:  
=========  
1.1  
The first vulnerability can be patched by a secure encoding of the picture and photo folder names.  
  
1.2  
The denial of service can be patched by a secure restriction and encode of the upload parameter.   
  
1.3  
The client side cross site scripting web vulnerability can be fixed by encoding of the download parameter when processing to list files.  
  
  
Risk:  
=====  
1.1  
The security risk of the command injection web vulnerability is estimated as high(-).  
  
1.2  
The security risk of the remote denial of service web vulnerability is estimated as medium.  
  
1.3  
The security risk of the client side cross site scripting vulnerability is estimated as low(+)|(-)medium.  
  
  
Credits:  
========  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com  
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.  
  
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]  
  
  
  
--   
VULNERABILITY LABORATORY RESEARCH TEAM  
DOMAIN: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
  
`