VLC Media Player iOS App 2.7.8 File Disclosure Vulnerability

title: Local File Disclosure
            product: VLC media player iOS app
 vulnerable version: 2.7.8
      fixed version: 2.8.1
         CVE number: -
             impact: Medium
           homepage: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8
              found: 2017-08-22
                 by: Ahmad Ramadhan Amizudin (Office Malaysia)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"VLC is a free and open source cross-platform multimedia player and framework
that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various
streaming protocols."

Source: https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Business recommendation:
------------------------
The identified vulnerability allows attackers to steal arbitrary files
(accessible by the app) from the mobile device.

SEC Consult recommends not to enable "Sharing over WiFi" feature in VLC
for iOS which allows wireless file transfer to/from PC until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Local file disclosure
The 'Sharing over WiFi' feature in VLC for iOS is vulnerable to a local file
disclosure vulnerability. An attacker can read any files which can be accessed
with current application privileges. This issue can lead to data theft.


Proof of concept:
-----------------
1) Local file disclosure
The example below shows how the LFD vulnerability can be exploited.

URL     : http://$IP:$PORT/download/<path-to-file-or-folder>
METHOD  : GET
EXAMPLE : http://$IP:$PORT/download//etc/passwd


The source code excerpt below shows the vulnerable code of the mobile app:

VULN. FILE : Sources/VLCHTTPConnection.m
VULN. CODE :
[...]
- (NSObject<HTTPResponse> *)_httpGETDownloadForPath:(NSString *)path
{
    NSString *filePath = [[path stringByReplacingOccurrencesOfString:@"/download/"
withString:@""]stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    HTTPFileResponse *fileResponse = [[HTTPFileResponse alloc]
initWithFilePath:filePath forConnection:self];
    fileResponse.contentType = @"application/octet-stream";
    return fileResponse;
}
[...]


Vulnerable / tested versions:
-----------------------------
VLC version 2.7.8 has been tested on iOS 10.3.3 and found to be vulnerable.


Vendor contact timeline:
------------------------
2017-08-23: Contacting vendor through email
2017-08-23: Vendor replied, they are looking at it
2017-09-05: Asked for a status update from the vendor
2017-09-09: Vendor released patch in version 2.8.1
2017-09-13: Public release of advisory


Solution:
---------
Upgrade to the latest version available:
https://itunes.apple.com/us/app/vlc-for-mobile/id650377962?mt=8


Workaround:
-----------
Disable the 'Sharing over WiFi' feature.

#  0day.today [2018-03-17]  #