iThoughtsHD 4.19 DoS / XSS / File Upload

`iThoughts Multiple Vulnerabilities  
24 March 2014  
Authors: James Davis <[email protected]>, Justin C. Klein Keane   
  
Description of Vulnerability  
  
iThoughtsHD brings mind mapping to the iPad. Based on the award winning iThoughts for iPhone, iThoughtsHD has been designed specifically for the iPad. iThoughtsHD will import and export mindmaps to and from many of the most popular desktop mindmap applications such as MyThoughts, Freemind, Freeplane, XMind, Novamind, MindManager, MindView, ConceptDraw MINDMAP, MindGenius and iMindmap. (http://www.ithoughts.co.uk)   
  
iThoughtsHD contains a cross site scripting (XSS or arbitrary script injection) vulnerability (CVE-2014-1826) because it fails to sanitize the map names before display, specifically when using the WiFi browser transfer feature.   
  
iThoughtsHD contains a null byte injection (arbitrary file upload) vulnerability (CVE-2014-1827) because it fails to sanitize file names being uploaded through the web interface when the iThoughts web server is turned on.   
  
iThoughtsHD contains a denial of service vulnerability (CVE-2014-1828) because it fails to limit the the size of the file when uploading through the browser to the iThoughts web server. This could allow a malicious user to fill up all available storage space on a device.   
  
Systems affected  
  
iThoughtsHD 4.19 was tested and shown to be vulnerable   
  
Impact  
  
Attackers can misuse the application through the web server by performing an arbitrary script injection (XSS) attacks. Arbitrary script injection could allow an attacker to execute malicious JavaScript on browsers viewing the WiFi sharing files. Using the null byte injection vulnerability will be able to upload files of any type to the iThoughts web server, which bypasses the filters used to limit what file types can be uploaded. The denial of service vulnerability can be used to upload files of any size which could fill up device storage preventing further uploads.   
  
Mitigating factors  
  
The iThoughts web server (wifi sharing) must be turned on for these vulnerabilities to be exposed   
  
Proof of Concept  
  
XSS Vulnerability:   
1. Install the iThoughtsHD app on your iPad   
2. Click the plus sign on the top bar to create a new app   
3. To perform a XSS attack upload a file with the name <iframe src=javascript:alert('xss')>   
4. Once the map is created, click the sharing button on the top bar in   
5. app and select "WiFi Transfer"   
6. This will turn on the iThoughts web server   
7. A link will then appear that you can enter into your computer browser   
8. Once you navigate to the page you will see a popup containing xss   
  
Null Byte Injection and Arbitrary File Upload Vulnerability:   
1. Install the iThoughtsHD app on your iPad   
2. Click the sharing button on the top bar in the app and select "WiFi Transfer"   
3. This will turn on the iThoughts web server   
4. A link will then appear that you can enter into your computer browser   
5. On your desktop create a file to perform the attack newmap.html%00.txt   
6. Once the file is created navigate to the iThoughts web server   
7. Click "Browse" and select the file you just created and upload it to the web server   
8. A new map will then appear with the name newmap.html   
  
CVE Common Vulnerability Exposures (CVE) are numeric designations for security vulnerabilities maintained by the National Vulnerability Database (NVD), part of the National Institute of Standards and Technology (NIST) (https://nvd.nist.gov/), sponsored by the US Department of Homeland Security (DHS). The CVE identifiers ? CVE-2014-1826, CVE-2014-1827, CVE-2014-1828 have been assigned to the issues detailed in this report.   
  
`