lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 26 Mar 2014 07:41:19 -0400
From: Justin Klein Keane <justin@...irish.net>
To: fulldisclosure@...lists.org
Subject: [FD] iThought App Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Authors: James Davis <james.p.davis@...look.com>, Justin C. Klein Keane

Description of Vulnerability
- ----------------------------
iThoughtsHD brings mind mapping to the iPad. Based on the award
winning iThoughts for iPhone, iThoughtsHD has been designed
specifically for the iPad. iThoughtsHD will import and export mindmaps
to and from many of the most popular desktop mindmap applications such
as MyThoughts, Freemind, Freeplane, XMind, Novamind, MindManager,
MindView, ConceptDraw MINDMAP, MindGenius and iMindmap.
(http://www.ithoughts.co.uk)

iThoughtsHD contains a cross site scripting (XSS or arbitrary script
injection) vulnerability (CVE-2014-1826) because it fails to sanitize
the map names before display, specifically when using the WiFi browser
transfer feature.

iThoughtsHD contains a null byte injection (arbitrary file upload)
vulnerability (CVE-2014-1827) because it fails to sanitize file names
being uploaded through the web interface when the iThoughts web server
is turned on.

iThoughtsHD contains a denial if service vulnerability (CVE-2014-1828)
because it fails to limit the the size of the file when uploading
through the browser to the iThoughts web server. This could allow a
malicious user to fill up all available storage space on a device.

Systems affected
- ----------------
iThoughtsHD 4.19 was tested and shown to be vulnerable

Impact
- ------
Attackers can misuse the application through the web server by
performing an arbitrary script injection (XSS) attacks. Arbitrary
script injection could allow an attacker to execute malicious
JavaScript on browsers viewing the WiFi sharing files. Using the null
byte injection vulnerability will be able to upload files of any type
to the iThoughts web server, which bypasses the filters used to limit
what file types can be uploaded. The denial of service vulnerability
can be used to upload files of any size which could fill up device
storage preventing further uploads.

Mitigating factors
- ------------------
The iThoughts web server (wifi sharing) must be turned on for these
vulnerabilities to be exposed.  Wifi sharing spawns a web server on a
predictable port.

Proof of Concept
- ----------------
XSS Vulnerability:

1.  Install the iThoughtsHD app on your iPad
2.  Click the plus sign on the top bar to create a new app
3.  To perform a XSS attack upload a file with the name <iframe
src=javascript:alert('xss')>
4.  Once the map is created, click the sharing button on the top bar
in app and select "WiFi Transfer"
5.  This will turn on the iThoughts web server
6.  A link will then appear that you can enter into your computer browser
7.  Once you navigate to the page you will see a popup containing xss

Null Byte Injection and Arbitrary File Upload Vulnerability:

1.  Install the iThoughtsHD app on your iPad
2.  Click the sharing button on the top bar in the app and select
"WiFi Transfer"
3.  This will turn on the iThoughts web server
4.  A link will then appear that you can enter into your computer browser
5.  On your desktop create a file to perform the attack newmap.html%00.txt
6.  Once the file is created navigate to the iThoughts web server
7.  Click "Browse" and select the file you just created and upload it
to the web server
8.  A new map will then appear with the name newmap.html

CVE
- ---
The CVE identifiers CVE-2014-1826, CVE-2014-1827, CVE-2014-1828 have
been assigned to the issues detailed in this report.

Timeline
- --------
Vendor acknowledged receipt on 24 January 2014.  Subsequent contacts
were unresponsive or no fix timeline was proposed.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net
This report published at http://www.madirish.net/559

The digital signature on this e-mail may be verified using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iPwEAQECAAYFAlMyvN8ACgkQkSlsbLsN1gDpdgb+OxbVHAC3f71I78+doYYidON9
jzfyXxI7GIhU71fe13nkGjdfXwYLwtEcgETeLRfns5gRhPufzbCS0Sl6z9iQH4NJ
Yc+dT9yPAwOZuRKvpsifSzDvHn9wyD7L1DN6z5ibnfGq1O2ngUCKrb+hZjzyBET9
NnGKZeM6EqbPRk0NGV9o5Pja0aWXe4SwQA6814u1w9UX5RA1Tx5Sr1G4tzcta4B9
f6fYzkn36mzkbx25tBObiyC/FCb8WUKvRgtpeERelVUl4MxImATMmm9NcKm8zr0+
NCDCKtIOVnqsPz+zV5A=
=avDU
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ