Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities

EDB-ID:

30000

CVE:

N/A




Platform:

iOS

Date:

2013-12-02


Document Title:
===============
Photo Transfer Wifi 1.4.4 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1153


Release Date:
=============
2013-12-02


Vulnerability Laboratory ID (VL-ID):
====================================
1153


Common Vulnerability Scoring System:
====================================
9.1


Product & Service Introduction:
===============================
nsfer WiFi app is a straight and effortless way to transfer your photos and videos between iPhones, iPads 
and computers. Forget about hassle with transferring your media via iTunes, iCloud. Features:

   -     Send photos and videos from iPhone or iPod Touch to other iPhone with a simple drag and drop
   -     Transfer media from your PC or Mac to iPhone or iPod Touch
   -     Download photos and videos to your Computer from iPhone, iPod Touch, iPad and iPad Mini
   -     Copy photos and videos from Computer to iPad or iPad Mini
   -     Import HD videos to iPad or iPad Mini from iPhone
   -     Exchange photos and videos between iPads over your local WiFi network
   -     Make your pictures accessible from your iPhone or iPod Touch to other users on the same WiFi network
   -     Share you media files on iPad or iPad Mini
   -     Browse photos and videos shared on iDevices from any PC or Mac
   -     Download shared media to your Computer
   -     Receive photos and videos to iPhone or iPod Touch from iPad
   -     Preview shared photos and videos in any browser
   -     Use browser to download shared photos and videos from iDevices
   -     Send photos and videos from any browser to your iPhone or iPad

(Copy of the Homepage: https://itunes.apple.com/en/app/photo-transfer-wifi-quickly/id674978018 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Photo Transfer WiFi v1.4.4 for apple iOS.


Vulnerability Disclosure Timeline:
==================================
2013-12-02:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Simplex Solutions Inc
Product: Photo Transfer WiFi 1.4.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
2 local command/path injection web vulnerabilities has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The remote web vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.

The vulnerability is located in the in the device name value of the index and sub category list module. Local attackers are 
able to inject own script codes as iOS device name. The execute of the injected script code occurs in 2 different section with 
persistent attack vector. The first section is the wifi app interface login were the application is listed. The secound execute 
occurs after the login in the smallheader interface section.The security risk of the command/path inject vulnerabilities are 
estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.2(+)|(-)7.3.

Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access 
and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific 
commands or unauthorized path requests.

Vulnerable Application(s):
				[+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):
				[+] devicename

Affected Module(s):
				[+] Login - Device Name
				[+] Index - Device Name



1.2
A persistent input validation web vulnerability has been discovered in the Simplex Solutions Inc Photo Transfer WiFi v1.4.4 for apple iOS.
The validation web vulnerability allows remote attackers to inject own malicious script codes by a persistent (application-side) attack vector.

The persistent input validation vulnerability is located in the album name value of the mobile application. Remote attackers and local low 
privileged user accounts can inject own malicious persistent script codes as album name. The execute occurs in the main index album name list
and the sub category list. By exchange of the information the issue can be exploited by remote attackers by a low user interaction sync. 
The security risk of the persistent vulnerabilities are estimated as medium(+) with a cvss (common vulnerability scoring system) count of 4.6(+).

Exploitation of the persistent web vulnerability requires no or a local low privileged mobile application account and low user interaction. 
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, 
persistent phishing or persistent module context manipulation.


Vulnerable Application(s):
				[+] Photo Transfer Wifi v1.4.4

Vulnerable Parameter(s):
				[+] albumname

Affected Module(s):
				[+] Index - Album Name List


Proof of Concept (PoC):
=======================
1.1
The local command/path inject web vulnerability via devicename value can be exploited by local low privileged or restricted device 
user accounts & no user interaction. For security demonstration or to reproduce the command/path mobile app vulnerability follow 
the provided information and steps below.


Manual steps to exploit the vulnerability ...

1.  Install the photo transfer wifi iOS mobile application
2.  Open the iOS settings and switch to the info > device name input
3.  Include your name and the payload to execute an app command or request a local device path (">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">)
4.  Save the input and open the photo transfer wifi app
Note: After the startup the web-server is available
5.  Open the url following url to the web interface of the mobile application (http://localhost:8080)
6.  The first execute occurs in the error message with the devicename value of the login
7.  Successful reproduce of the first vulnerability done ... let us watch now the secound issue of the devicename after the login
8.  Exclude in the iOS device settings the payload, save and open the service via web-server http request
9.  Login to the interface with the default username
10. The execute of the command or path request occurs after the login in the devicename value
11. Successful reproduce of the secound vulnerability done!


PoC: Login > devicepreview - devicename

  <div class="errormessage">
            Invalid password. Try again!
        </div>
        <div class="youconnect">
            You are now connecting to
        </div>
        <div class="devicepreview">
            <div class="devicepreviewInternal">
                <p class="devicename">
                device bkm>"<<>"<x src="login_incorrect_files/">%20<x src=\..\<../var/mobile/Library/[APP PATH]/">
                </p>
                <div class='deviceico'>
                    <img src="/devices_ico/iPadB.png">
                </div>
            </div>
        </div>
        
        <form method="POST" action="/login">
            <div class='forminputs'>
                <input type="password" name="password" class='passinput' placeholder='Enter Password' id="login_input">
                <input type="submit" value="Connect" class='passsubmit'>
            </div>
        </form>

Note: The injected command or path request execute occurs in the login and error message module.



PoC: Index - smallheader > devicename

   <body>
        
        <div class="smallheader">
            <img src="web/logo_small.png" style="float:left">
                <div class="devicepreview" style="float:right">
                    <div class="devicepreviewInternal">
                        <p class="devicename">
                        device bkm ">%20<x src=\..\<../var/mobile/Library/[APP PATH]/>
                        </p>
                        <div class="deviceico">
                            <img src="/devices_ico/iPadB.png">
                                </div>
                    </div>
                </div>
                </div>

Note: The secound inject/execute is located after the login in the `smallheader` class were the devicename will be visible.

Reference(s):
http://localhost:8080/



1.2
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user account 
and low user interaction. For security demonstration or to reproduce the vulnerability follow the information and steps below.


Manual steps to reproduce the vulnerability ...

1. Install the photo transfer wifi mobile app
2. Open the iOS photo app (default software)
3. Add a new album and inject into the album name your own script code (payload)
4. Open the photo transfer wifi mobile app
5. Go to the local web-server url (localhost:8080)
Note: After the login to the interface the index displays an album name listing
6. The script code execute occurs with persistent attack vector in the index album name list context
7. Successful reproduce of the vulnerability done!


PoC: Gallery > Album - albumtitle

<div class="albumtitle">
        <><[PERSISTENT INJECTED SCRIPT CODE IN ALBUM NAME VALUE VIA POST METHOD INJECT!]>
    </div>
    <div class="albumsize">
        3 Items
    </div>
    </a><div class="ziploaddiv"><a href="http://localhost:8080/gallery/album/?albumtitle=WallpapersHD&
album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-3A67-4BFA-AF16-04CC8DE2CD29&partial=0" class="interceptme">
</a><a href="http://192.168.2.106:8080/gallery/zip_album/WallpapersHD.zip?album=assets-library%3A%2F%2Fgroup%2F%3Fid%3DC44B3062-
3A67-4BFA-AF16-04CC8DE2CD29" class="zipload" target="_blank">
<img src="localhost8080_files/download.png" class="ziploadimg" width="36px">
        </a>
        <div class="ziploadtext">
        </div>
    </div>
</div>


Note: The issue can be exploited by local privileged user accounts in the iOS photo app (default) or by a remote attacker via album to file sync. 
(interceptme!? ;)


Reference(s):
http://localhost:8080/gallery/album/?albumtitle=[ALBUM-NAME]


Solution - Fix & Patch:
=======================
1.1
The command/path inject web vulnerabilities can be patched by a secure encode and parse of the devicename value.
Parse the devicename in the login section and in the smallheader class to devicename.

1.2
The persistent input validation web vulnerability can be patched by a secure parse and encode of the album name value.
All GET requests with the value and the input by sync needs to be filtered by a secure mechanism.


Security Risk:
==============
1.1
The security risk of the local command/path inject web vulnerabilities are estimated as high.

1.2
The security risk of the persistent album name web vulnerability is estimated as medium(+).



Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com