Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBenjamin Kunz MejriPACKETSTORM:129019
HistoryNov 07, 2014 - 12:00 a.m.

SeasonApps iTransfer 1.1 Script Insertion

2014-11-0700:00:00
Benjamin Kunz Mejri
packetstormsecurity.com
20
JSON
`Document Title:  
===============  
SeasonApps iTransfer 1.1 - Persistent UI Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1347  
  
  
Release Date:  
=============  
2014-10-27  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1347  
  
  
Common Vulnerability Scoring System:  
====================================  
2.5  
  
  
Product & Service Introduction:  
===============================  
Do you want to access your PhotoLibrary`s file on the website? Do you want to transfer files from PC to iDevice easily and   
read or send them every where? So the iTransfer will give all these to you.  
  
1. You can get all photos and videos in the Photo Library of your device.  
2. Wifi Sharing! These make our life more easy, Isn`t it?  
3.A file box for you that you can store and get files on the document dictionary of the App. also you can manage the files via Wifi Sharing !  
4. Supper File Manager, you can open files with document format as pdf,doc,ppt,txt,rtf,png,jpg
 and media format as mp3,mp4 and so on.  
5.Zip and Unzip which will make you manage your local files early.  
6.You can share the files to your friend with email.  
7. You can access the files on this app via USB and iTunes.  
8.Support for iOS7  
9.Add upload feature to Library sharing, you can upload image to your photo library now.  
10.Add file manage feature to the Local Sharing, just like create dictionary and delete files(dictionary)  
11.Add Authentication feature to he sharing feature, you can safe browse your sharing right now!  
12.Add feedback feature, please give us your advice or your bug to us. thanks!   
  
(Copy of the Homepage: https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 )  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iTransferPro v1.1 iOS mobile application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2014-10-27: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
SeasonApps iTransfer  
Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
An application-side input validation web vulnerability has been discovered in the official SeasonApps iTransferPro v1.1 iOS mobile application.  
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.  
  
The vulnerability is located in the albumname value. Local attackers with low privileged device user accounts are able to manipulate the albumname   
values by usage of the wifi sync function in the `Share Photo Library` module. The attack vector is persistent on the application-side and the request   
method to inject is a app sync. The issue allows to stream persistent malicious script codes to the front site of the wifi photo library interface.  
  
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.  
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction.  
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious   
sources and application-side manipulation of affected or connected module context.  
  
Request Method(s):  
[+] Sync  
  
Vulnerable Module(s):  
[+] Share Photo Library  
  
Vulnerable Parameter(s):  
[+] items - group (albumname)  
  
Affected Module(s):  
[+] Wifi Interface - Share Photo Library Index (http://localhost:8888/)  
  
  
Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by local attackers with low privileged device user account and low or medium user interaction.  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
  
PoC: Wifi Interface - Share Photo Library Index (http://localhost:8888/)  
  
<html><head><meta name="viewport" content="width=device-width, initial-scale=1.0" http-equiv="Content-Type"><title>iTransfer</title><style>html   
{background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%;   
margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h2>Enjoy iTransfer</h2>  
<bq>You Can Access Files of your Photo Library Now :)</bq><script type="text/javascript" src="/jquery.js"></script>   
<script type="text/javascript" src="/fileuploader.js"></script> <link href="fileuploader.css" rel="stylesheet"   
type="text/css"><p></p><div id="file-uploader-div"><div class="qq-uploader"><div style="display: none;" class="qq-upload-drop-area">  
<span>drop files here to upload</span></div><div style="position: relative; overflow: hidden; direction: ltr;" class="qq-upload-button">upload a file  
<input style="position: absolute; right: 0px; top: 0px; font-family: Arial; font-size: 118px; margin: 0px; padding: 0px; cursor: pointer; opacity: 0;"   
name="file" multiple="multiple" type="file"></div><ul class="qq-upload-list"></ul></div></div><p></p><script language="javascript">   
$(function(){ var uploader = new qq.FileUploader({   
element:document.getElementById("file-uploader-div"),   
action: "/",   
debug: false,   
allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"],   
template: '<div class="qq-uploader">' +   
'<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' +   
'<div class="qq-upload-button">upload a file</div>' +   
'<ul class="qq-upload-list"></ul>' + '</div>', }); });  
</script><br><label color="red"><font size="2" color="red">(Notice: The pictures you upload will appear when you share the photo library next time)</font></label>  
<br><link href="/bootstrap.css" rel="stylesheet"> <script src="/bootstrap.min.js"></script><h3>All Groups</h3><ul class="thumbnails"><li class="span2">  
<div class="thumbnail" style="text-align: center;">  
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">  
<img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150">  
<span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE EXECUTION!] 1items</span></a></div>  
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">  
</a></li><li class="span2"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">  
</a><div class="thumbnail" style="text-align: center;"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">  
</a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">  
<img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150">  
<span stype="white-space: nowrap;">Photos 3items</span>  
</a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">  
</a></li></ul></body></html>  
  
  
Reference(s):  
http://localhost:8888/  
http://localhost:8888/group/  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by a secure restriction of the foldername/albumname input fields.  
Encode the input and parse the output of the name values in the wifi interface to prevent persistent script code executions.  
  
  
Security Risk:  
==============  
The security risk of the application-side input validation web vulnerability in the wifi interface is estimated as medium(-). (CVSS 2.5)  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: [email protected] - [email protected] - [email protected]  
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
([email protected] or [email protected]) to get a permission.  
  
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
CONTACT: [email protected]  
  
COMPANY: Evolution Security GmbH  
BUSINESS: www.evolution-sec.com  
  
  
  
  
`
JSON