FileMaster SY-IT 3.1 iOS - Multiple Web Vulnerabilities

EDB-ID:

30375

CVE:

N/A




Platform:

iOS

Date:

2013-12-17


Document Title:
===============
FileMaster SY-IT v3.1 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1170


Release Date:
=============
2013-12-16


Vulnerability Laboratory ID (VL-ID):
====================================
1170


Common Vulnerability Scoring System:
====================================
8.2


Product & Service Introduction:
===============================
FileMaster is a file manager, downloader, document viewer, video/audio player, text editor, wifi drive, and more 
for iPhone, iPad & iPod Touch. Transfer files from your computer, carry them around with you, and share them with 
your friends. Using FileMaster is easy. Just long-press on a file or folder icon to display a popup menu. 

Simply tap your selection and you’re ready to go. You can tap on the screen to copy, paste, create folders and so on.
There’s no need to worry about the security of FileMaster, either. Your files can be accessed remotely with a password 
or locally with a master passcode. No one but you will see what’s in your FileMaster. With FileMaster, you can easily 
share files with your friends (peer-to-peep only) using Bluetooth.

(Copy of the Homepage: https://itunes.apple.com/en/app/filemaster-file-manager-downloader/id582219355 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Shenzhen Youmi IT Co. Ltd - FileMaster v3.1 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2013-12-16:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Shenzhen Youmi Information Technology Co. Ltd
Product: FileMaster - File Manager & Downloader (Mobile Application) 3.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
1.2
A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to 
compromise the web-application or device.

The remote file include web vulnerability is located in the vulnerable `filename` value of the `start upload` module (web interface). Remote attackers 
can manipulate the POST method request of  `filename` value in the `start upload` module to compromise the mobile application. The attack vector is 
persistent and the request method is POST. The local file/path include execute occcurs in the main `file dir index` list. 

A secound possibility to execute the payload by usage of the compress function. After the payload with a non executable has been injected the 
attacker can use the compress function to generate a .zip package. The generated zip executes the payload in the filename itself and affects 
the main index listing too. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability 
scoring system) count of 8.1(+)|(-)8.2.

Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
Successful exploitation of the local web vulnerability results in application or connected device component compromise by unauthorized local 
file include web attacks.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Start Upload

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Index File Dir List (http://localhost:8000)



1.2
A local file/path include web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The local file include web vulnerability allows remote attackers to unauthorized include local file requests or system specific path commands to 
compromise the web-application or device.

The remote file include web vulnerability is located in the vulnerable `folder/path` value of the `Create Folder` module  (web interface).
Remote attackers can inject own local file requests or system specific path commands as `folder name`. The request method is POST and the 
attack vector is persistent. The local file/path include execute occcurs in the main `file dir index` list. The security risk of the local 
file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.0(+)|(-)8.1.

Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. 
Successful exploitation of the local web vulnerability results in application or device compromise by unauthorized local file include attacks.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Create Folder

Vulnerable Parameter(s):
				[+] folder to path

Affected Module(s):
				[+] Index Folder Dir List (http://localhost:8000)



1.3 (1.1)
An arbitrary file upload web vulnerability has been discovered in the Shenzhen Youmi IT Co. Ltd FileMaster v3.1 mobile web-application for apple iOS.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server filter or system validation.

The vulnerability is located in the `start upload` module. Remote attackers are able to upload a php or js web-shells by a rename of the original file 
with multiple extensions to bypass the file restriction or upload filter mechanism. The attacker uploads for example a web-shell with the following 
name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg & . gif 
file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated 
as high with a cvss (common vulnerability scoring system) count of 7.0(+)|(-)7.1.

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of for example web-shells.


Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Start Upload

Vulnerable Parameter(s):
				[+] filename (multiple extensions)

Affected Module(s):
				[+] Index File Dir List (http://localhost:8000)


Proof of Concept (PoC):
=======================
1.1
The first file include web vulnerability can be exploited by remote attackers without privileged web-application user account and user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

Manual reproduce of the vulnerability ...

1. Install and start the app (iphone or ipad)
2. Start your web browser and open the following local standard web-server url ( http://localhost:8000 )
3. Start to tamper your web session in the browser and click the `Start Upload` button
4. Choose a file and manipulate the filename value by exchange with your own payload (local file request)
5. After the request has been stored in the app you only refresh the index listing
6. Now, the first local file request execute occurs in the index listing
Note: Now, we let the system generate a compressed file with the same payload to execute the malicious request as filename value
6. Open the item listing and click in the file option menu the file `compress` (Packen) button
7. The local file include executes in the upload path of the file
8. Successful reproduce of the vulnerability!


PoC:  filename (compress)

<div align="left"> <input name="selfiles" value="[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]"" 
src="FileMaster-filename_files/a_002.txt" 
onclick="clickfile(this);" type="checkbox">  
<a href="http://localhost:8000/%3E%22%3C[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].zip" 
target="_blank"><img src="FileMaster-filename_files/zip.png" 
class="imgbt"> >"<[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].zip"></div></th>
<td><div



1.2
The second file include web vulnerability can be exploited by remote attackers without privileged web-application user account 
and user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

Manual reproduce of the vulnerability ...

1. Install and start the app (iphone or ipad)
2. Start your web browser and open the following local standard web-server url ( http://localhost:8000 )
3. Click the `Create Folder` or `Edit Folder` button
4. Inject your payload to the name value input field
5. The payload execute occurs in the main file dir index or sub category list
6. Successful reproduce of the vulnerability!

PoC: Folder/Path name (index)

<div align="left"> <input name="selfiles" value=">" <iframe="LOCAL FILE INCLUDE VULNERABILITY VIA PATH VALUE!]" 
onclick="clickfile(this);" type="checkbox">  <a href="http://192.168.2.106:8000/%3E%22%3CLOCAL FILE INCLUDE VULNERABILITY VIA PATH VALUE!]:/">
<img src="LOCAL FILE INCLUDE VULNERABILITY VIA PATH VALUE!]/directory.png" 
class="imgbt"> >"<iframe src="LOCAL FILE INCLUDE VULNERABILITY VIA PATH VALUE!]/x.txt"></div></th>
<td><div
align="right">2013-12-14 23:33</div></td>
<td><div 


Solution - Fix & Patch:
=======================
1.1
The first file include web vulnerability can be fixed by a secure encode and parse of the vulnerable filename value and selfiles input field.
Restrict and encode the file names in the POST method request of the start upload function to prevent file include attacks.

1.2
The second file include vulnerability can be patched by a secure parse and encode of the path and folder names.
Restrict and parse the vulnerable create and edit functions but also the broken index output name validation.


Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value is estimated as high(+).

1.2
The security risk of the local file include web vulnerability in the folder/path name value is estimated as high.

1.3
the arbitrary file upload and restricted file upload bypass vulnerability is estimated as high(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com