Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities
http://www.vulnerability-lab.com/get_content.php?id=1153
2013-12-02
1153
9.1
nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads
and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features:
Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop
Transfer media from your PC or Mac to iPhone or iPod Touch
Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini
Copy photos and videos from Computer to iPad or iPad Mini
Import HD videos to iPad or iPad Mini from iPhone
Exchange photos and videos between iPads over your local WiFi network
Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network
Share you media files on iPad or iPad Mini
Browse photos and videos shared on iDevices from any PC or Mac
Download shared media to your Computer
Receive photos and videos to iPhone or iPod Touch from iPad
Preview shared photos and videos in any browser
Use browser to download shared photos and videos from iDevices
Send photos and videos from any browser to your iPhone or iPad
(Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 )
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS.
2013-12-02: Public Disclosure (Vulnerability Laboratory)
Published
Simplex Solutions Inc
Product: Photo Transfer WiFi 1.4.4
Remote
Critical
1.1
2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.
The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are
able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different section with
persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound execute
occurs after the login in the smallheader interface section.The security risk of the command/path inject vulnerabilities are
estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.
Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific
commands or unauthorized path requests.
Vulnerable Application(s):
[+] Photo Transfer Wifi v1.4.4
Vulnerable Parameter(s):
[+] devicename
Affected Module(s):
[+] Login - Device Name
[+] Index - Device Name
1.2
A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent (application-side) attack vector.
The persistent input validation vulnerability is located in the album name value of the mobile application. Remote attackers and local low
privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main index album name list
and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user interaction sync.
The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.6(+).
Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and low user interaction.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent module context manipulation.
Vulnerable Application(s):
[+] Photo Transfer Wifi v1.4.4
Vulnerable Parameter(s):
[+] albumname
Affected Module(s):
[+] Index - Album Name List
1.1
The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or restricted device
user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app vulnerability follow
the provided information and steps below.
Manual steps to exploit the vulnerability …
PoC: Login > devicepreview - devicename
<div class="errormessage">
Invalid password. Try again!
</div>
<div class="youconnect">
You are now connecting to
</div>
<div class="devicepreview">
<div class="devicepreviewInternal">
<p class="devicename">
device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\…\<…/var/mobile/Library/[APP PATH]/">
</p>
<div class='deviceico'>
<img src="/devices_ico/iPadB.png">
</div>
</div>
</div>
<form method="POST" action="/login">
<div class='forminputs'>
<input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input">
<input type="submit" value="Connect" class='passsubmit'>
</div>
</form>
Note: The injected command or path request execute occurs in the login and error message module.
PoC: Index - smallheader > devicename
<body>
<div class="smallheader">
<img src="web/logo_small.png" style="float:left">
<div class="devicepreview" style="float:right">
<div class="devicepreviewInternal">
<p class="devicename">
device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/>
</p>
<div class="deviceico">
<img src="/devices_ico/iPadB.png">
</div>
</div>
</div>
</div>
Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be visible.
Reference(s):
http://localhost:8080/
1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user account
and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.
Manual steps to reproduce the vulnerability …
PoC: Gallery > Album - albumtitle
<div class="albumtitle">
<><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]>
</div>
<div class="albumsize">
3 Items
</div>
</a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&
album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme">
</a><a href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-
3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank">
<img src="localhost8080_files/download.png" class="ziploadimg" width="36px">
</a>
<div class="ziploadtext">
</div>
</div>
</div>
Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote attacker via album to file sync.
(interceptme!?
Reference(s):
http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME]
1.1
The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value.
Parse the devicename in the login section and in the smallheader class to devicename.
1.2
The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value.
All GET requests with the value and the input by sync needs to be filtered by a secure mechanism.
1.1
The security risk of the local command/path inject web vulnerabilities are estimated as high.
1.2
The security risk of the persistent album name web vulnerability is estimated as medium(+).
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
– VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: [email protected]