{"hash": "84854b3a010042eab94083f38b3901a6f69100a849eac3b870582c2b335d4781", "sourceHref": "https://packetstormsecurity.com/files/download/124090/VL-1140.txt", "title": "Appologics AirBeam 1.9.2 Code Execution / XSS", "id": "PACKETSTORM:124090", "published": "2013-11-19T00:00:00", "description": "", "modified": "2013-11-19T00:00:00", "sourceData": "`Document Title: \n=============== \nAppologics AirBeam v1.9.2 iOS - Multiple Web Vulnerabilities \n \n \nReferences (Source): \n==================== \nhttp://www.vulnerability-lab.com/get_content.php?id=1140 \n \n \nRelease Date: \n============= \n2013-11-20 \n \n \nVulnerability Laboratory ID (VL-ID): \n==================================== \n1140 \n \n \nCommon Vulnerability Scoring System: \n==================================== \n7.2 \n \n \nProduct & Service Introduction: \n=============================== \nAirBeam turns your iPhones, iPods or iPads into a realtime audio and video surveillance system. AirBeam streams \nlive video and audio from the cameras and microphones of any number of iPhones, iPods or iPads. You can watch \nthe stream on any other iDevice, Mac or Web browser - even on multiple screens simultaneously. \n \nUse your iDevices as luxury babyphones, for serious surveillance, to keep an eye on your pets, a FPV cam in your \nremote control toys\u2026there are hundreds of useful and not so useful things you can do with it. Even if you have \njust a single device AirBeam is an awesome tool for motion controlled video recording. \n \n(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/airbeam-hd-videouberwachung/id428767956 ) \n \n \nAbstract Advisory Information: \n============================== \nThe Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Appoligics UG AirBeam v1.9.2 iOS mobile application. \n \n \nVulnerability Disclosure Timeline: \n================================== \n2013-11-20: Public Disclosure (Vulnerability Laboratory) \n \n \nDiscovery Status: \n================= \nPublished \n \n \nAffected Product(s): \n==================== \nApple AppStore \nProduct: AirBeam iOS - Appologics UG 1.9.2 \n \n \nExploitation Technique: \n======================= \nRemote \n \n \nSeverity Level: \n=============== \nHigh \n \n \nTechnical Details & Description: \n================================ \n1.0 \nA command/path inject web vulnerability has been discovered in the official Appoligics UG AirBeam v1.9.2 iOS mobile application. \nThe command/path inject vulnerability allows local attackers to unauthorized inject system commands or path requests to compromise \nthe mobile web-application or UI online-service. \n \nThe local command/path inject web vulnerability is located in the name value of the iOS device. Local attackers with physical \ndevice access and restricted user accounts can inject local path requests or execute system specific commands. After the inject \nof the command or path request the code execute occurs in the tab header location with the listed device name on top. The security \nrisk of the local command/path inject web vulnerability in the device name is estimated as high with a cvss (common vulnerability \nscoring system) count of 5.2(+)|(-)5.3 \n \nExploitation of the web vulnerability requires a local privileged iOS device account with restricted access and no user interaction. \nSuccessful exploitation of the vulnerability results unauthorized execute of system specific commands and path/file requests. \n \n \nVulnerable Service(s): \n[+] Appoligics UG - AirBeam v1.9.2 (iOS) \n \nVulnerable Module(s): \n[+] device name \n \nVulnerable Parameter(s): \n[+] name \n \nAffected Device(s): \n[+] iPad \n[+] iPhone \n \n \n2.0 \nA client-side cross site vulnerability has been discovered in the official Appoligics UG AirBeam v1.9.2 iOS mobile application. \nA xss web vulnerability allows remote attackers to manipulate via GET method inject web-application to browser requests (client-side). \n \nThe client-side cross site scripting web vulnerability is located in the vulnerable name value of the delete function. Remote attackers \nare able to inject own script codes by manipulation of the GET method request to execute the malicious content on the client-side of \na victims web-browser. The security risk of the non-persistent web vulnerability in the delete function is estimated as medium with a \ncvss (common vulnerability scoring system) count of 2.0(+)|(-)2.1. \n \nExploitation of the client-side cross site vulnerability requires no privileged web application user account and low or medium user interaction. \nSuccessful exploitation of the client-side cross site scripting web vulnerabilities results in session hijacking, client-side phishing, client-side \nunauthorized/open (external) redirects and client-side manipulation of the dhtml editor module context. \n \n \nVulnerable Service(s): \n[+] Appoligics UG - AirBeam v1.9.2 (iOS) \n \nVulnerable Module(s): \n[+] delete \n \nAffected parameter(s): \n[+] name \n \nAffected Device(s): \n[+] iPad \n[+] iPhone \n \n \nProof of Concept (PoC): \n======================= \n1.0 \nThe command/path inject web vulnerability can be exploited by remote attackers with privileged iOS device account and without user interaction. \nFor security demonstration or to reproduce the security vulnerability follow the information below. \n \n \nProof of Concept - Device Name \n \n<div id=\"devicename\">device benjamin.KM>\"<<>\"<[LOCAL COMMAND/PATH INJECT VULNERABILITY VIA DEVICENAME!]></div> \n<div id=\"navbar\"> \n<a class='navitem' href='index.html'>Kamera</a> \n<a class='navitemsel' href='recordings.html'>Aufnahmen</a> \n<a class='navitem' href='settings.html'>Einstellungen</a> \n</div> \n</div> \n<div id=\"content\"> \n<div id=\"recordings_hint\"> \nHinweis: Manche Browser haben Schwierigkeiten die Aufzeichnungen direkt im Browser-Fenster abzuspielen. \nIn diesem Fall die Aufzeichnung mittels Rechts-Klick und \"Speichern unter\" herunterladen und dann anschauen. \n</div> \n<div id=\"recordings_list\"> \n<!-- \n<hr class=\"embosed\"/> \n<div class=\"recording\"> \n<div class=\"recording_preview\"> \n<img width=\"100px\" height=\"100px\" src=\"images/logo.png\"> \n</div> \n<div class=\"recording_data\"> \n<a class=\"recording_name\" href=\"/recordings\">Recording</a> \n<div class=\"recording_details\"> \n12:25:00<br>640x480<br>0 min 5 sec<br>10.0 MB<br> \n</div> \n</div> \n<div class=\"recording_controls\"> \n<a class=\"button\" href=\"/delete?name=\">View</a> \n<a class=\"button\" href=\"/delete?name=\">Delete</a> \n</div> \n</div> \n \n \nNote: The script code execute after the inject occurs in the device name on top of the application header. \n \n \n--- PoC Session Request Logs [GET] --- \n \nStatus: 200[OK] \nGET http://airbeam.localhost/recordings.html \nLoad Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI \nLOAD_INITIAL_DOCUMENT_URI ] \nContent Size[-1] \nMime Type[application/x-unknown-content-type] \n \nRequest Headers: \nHost[airbeam.localhost] \nUser-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0] \nAccept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] \nAccept-Language[en-US,en;q=0.5] \nAccept-Encoding[gzip, deflate] \nDNT[1] \nReferer[http://airbeam.localhost/recordings.html] \nConnection[keep-alive] \nCache-Control[max-age=0] \n \nResponse Headers: \nTransfer-Encoding[chunked] \nAccept-Ranges[bytes] \nDate[Wed, 20 Nov 2013 02:36:37 GMT] \n \nStatus: 200 \nGET http://airbeam.localhost/[LOCAL INJECTED COMMAND/PATH VALUE!] \nLoad Flags[LOAD_DOCUMENT_URI ] \nContent Size[0] \nMime Type[application/x-unknown-content-type] \n \nRequest Headers: \nHost[airbeam.localhost] \nUser-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0] \nAccept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] \nAccept-Language[en-US,en;q=0.5] \nAccept-Encoding[gzip, deflate] \nDNT[1] \nReferer[http://airbeam.localhost/recordings.html] \nConnection[keep-alive] \n \nResponse Headers: \nAccept-Ranges[bytes] \nContent-Length[0] \nDate[Wed, 20 Nov 2013 02:36:37 GMT] \n \n \n \n2.0 \nThe client-side input validation web vulnerability can be exploited by remote attackers without privileged web-application user account and \nlow user interaction. For security demonstration or to reproduce the vulnerability follow the provided information below. \n \nPoC: Client-Side XSS \nhttp://airbeam.localhost/delete?name=[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!] \n \n \nProof of Concept: delete?name - (view & delete) \n \n<div class=\"recording_controls\"> \n<a class=\"button\" href=\"/delete?name=[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]\">View</a> \n<a class=\"button\" href=\"/delete?name=[CLIENT-SIDE CROSS SITE SCRIPTING VULNERABILITY!]\">Delete</a> \n</div> \n \n \nSolution - Fix & Patch: \n======================= \n1.0 \nThe local command/path inject web vulnerability can be patched by a secure parse of the device-name value on top of the application. \n \n2.0 \nThe client-side cross site scripting web vulnerability can be patched by a secure encode of the vulnerable name value in the delete function. \n \n \nSecurity Risk: \n============== \n1.0 \nThe security risk of the local command/path inject web vulnerability via device-name is estimated as high. \n \n2.0 \nThe security risk of the client-side cross site scripting web vulnerability in the delete file name value is estimated as medium. \n \n \nCredits & Authors: \n================== \nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] \n \n \nDisclaimer & Information: \n========================= \nThe information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, \neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- \nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \nor trade with fraud/stolen material. \n \nDomains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com \nContact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com \nSection: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com \nSocial: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab \nFeeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php \n \nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and \nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \nmodify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. \n \nCopyright \u00a9 2013 | Vulnerability Laboratory [Evolution Security] \n \n \n-- \nVULNERABILITY LABORATORY RESEARCH TEAM \nDOMAIN: www.vulnerability-lab.com \nCONTACT: research@vulnerability-lab.com \n \n`\n", "reporter": "Benjamin Kunz Mejri", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5cbc0b30f78c4af8ddd63c914ff0a563"}, {"key": "modified", "hash": "6fb09c1fd123658a96862a0e5316e42f"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6fb09c1fd123658a96862a0e5316e42f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "6a4580f8d384b081c29618396fe7e2da"}, {"key": "sourceData", "hash": "87c6292dc48d427d909918cf7725d57d"}, {"key": "sourceHref", "hash": "b0a1d6c831da549bcca26861e3ae3f07"}, {"key": "title", "hash": "bd9d61af7892c818156ea000afa91b3a"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/124090/Appologics-AirBeam-1.9.2-Code-Execution-XSS.html", "lastseen": "2016-11-03T10:23:00", "viewCount": 0, "enchantments": {"vulnersScore": 4.3}}