Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Mon, 02 Dec 2013 13:57:14 +0100

Document Title:
===============
Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1153


Release Date:
=============
2013-12-02


Vulnerability Laboratory ID (VL-ID):
====================================
1153


Common Vulnerability Scoring System:
====================================
9.1


Product & Service Introduction:
===============================
nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads 
and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features:

   -     Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop
   -     Transfer media from your PC or Mac to iPhone or iPod Touch
   -     Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini
   -     Copy photos and videos from Computer to iPad or iPad Mini
   -     Import HD videos to iPad or iPad Mini from iPhone
   -     Exchange photos and videos between iPads over your local WiFi network
   -     Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network
   -     Share you media files on iPad or iPad Mini
   -     Browse photos and videos shared on iDevices from any PC or Mac
   -     Download shared media to your Computer
   -     Receive photos and videos to iPhone or iPod Touch from iPad
   -     Preview shared photos and videos in any browser
   -     Use browser to download shared photos and videos from iDevices
   -     Send photos and videos from any browser to your iPhone or iPad

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 
for apple iOS.


Vulnerability Disclosure Timeline:
==================================
2013-12-02:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Simplex Solutions Inc
Product: Photo Transfer WiFi 1.4.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi 
v1.4.4 for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple 
mobile iOS application.

The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers 
are 
able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different 
section with 
persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound 
execute 
occurs after the login in the smallheader interface section.The security risk of the command/path inject 
vulnerabilities are 
estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.

Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with 
restricted access 
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system 
specific 
commands or unauthorized path requests.

Vulnerable Application(s):
                                [+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):
                                [+] devicename

Affected Module(s):
                                [+] Login - Device Name
                                [+] Index - Device Name



1.2
A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi 
v1.4.4 for apple iOS.
The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent 
(application-side) attack vector.

The persistent input validation vulnerability is located in the album name value of the mobile application. Remote 
attackers and local low 
privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main 
index album name list
and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user 
interaction sync. 
The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability 
scoring system) count of 4.6(+).

Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and 
low user interaction. 
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via 
persistent web attacks, 
persistent phishing or persistent module context manipulation.


Vulnerable Application(s):
                                [+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):
                                [+] albumname

Affected Module(s):
                                [+] Index - Album Name List


Proof of Concept (PoC):
=======================
1.1
The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or 
restricted device 
user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app 
vulnerability follow 
the provided information and steps below.


Manual steps to exploit the vulnerability ...

1.  Install the photo transfer wifi iOS mobile application
2.  Open the iOS settings and switch to the info > device name input
3.  Include your name and the payload to execute an app command or request a local device path (">%20<x 
src=\..\<../var/mobile/Library/[APP PATH]/">)
4.  Save the input and open the photo transfer wifi app
Note: After the startup the web-server is available
5.  Open the url following url to the web interface of the mobile application (http://localhost:8080)
6.  The first execute occurs in the error message with the devicename value of the login
7.  Successful reproduce of the first vulnerability done ... let us watch now the secound issue of the devicename after 
the login
8.  Exclude in the iOS device settings the payload, save and open the service via web-server http request
9.  Login to the interface with the default username
10. The execute of the command or path request occurs after the login in the devicename value
11. Successful reproduce of the secound vulnerability done!


PoC: Login > devicepreview - devicename

  <div class="errormessage">
            Invalid password. Try again!
        </div>
        <div class="youconnect">
            You are now connecting to
        </div>
        <div class="devicepreview">
            <div class="devicepreviewInternal">
                <p class="devicename">
                device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">
                </p>
                <div class='deviceico'>
                    <img src="/devices_ico/iPadB.png">
                </div>
            </div>
        </div>
        
        <form method="POST" action="/login">
            <div class='forminputs'>
                <input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input">
                <input type="submit" value="Connect" class='passsubmit'>
            </div>
        </form>

Note: The injected command or path request execute occurs in the login and error message module.



PoC: Index - smallheader > devicename

   <body>
        
        <div class="smallheader">
            <img src="web/logo_small.png" style="float:left">
                <div class="devicepreview" style="float:right">
                    <div class="devicepreviewInternal">
                        <p class="devicename">
                        device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/>
                        </p>
                        <div class="deviceico">
                            <img src="/devices_ico/iPadB.png">
                                </div>
                    </div>
                </div>
                </div>

Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be 
visible.

Reference(s):
http://localhost:8080/



1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged 
web-application user account 
and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps 
below.


Manual steps to reproduce the vulnerability ...

1. Install the photo transfer wifi mobile app
2. Open the iOS photo app (default software)
3. Add a new album and inject into the album name your own script code (payload)
4. Open the photo transfer wifi mobile app
5. Go to the local web-server url (localhost:8080)
Note: After the login to the interface the index displays an album name listing
6. The script code execute occurs with persistent attack vector in the index album name list context
7. Successful reproduce of the vulnerability done!


PoC: Gallery > Album - albumtitle

<div class="albumtitle">
        <><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]>
    </div>
    <div class="albumsize">
        3 Items
    </div>
    </a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&;
album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme">
</a><a 
href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-
3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank">
<img src="localhost8080_files/download.png" class="ziploadimg" width="36px">
        </a>
        <div class="ziploadtext">
        </div>
    </div>
</div>


Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote 
attacker via album to file sync. 
(interceptme!? ;)


Reference(s):
http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME]


Solution - Fix & Patch:
=======================
1.1
The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value.
Parse the devicename in the login section and in the smallheader class to devicename.

1.2
The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value.
All GET requests with the value and the input by sync needs to be filtered by a secure mechanism.


Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerabilities are estimated as high.

1.2
The security risk of the persistent album name web vulnerability is estimated as medium(+).



Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities Vulnerability Lab (Dec 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault