[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50E6D942.2030805@pentest.co.uk>
Date: Fri, 04 Jan 2013 13:29:38 +0000
From: Paul Johnston <paul.johnston@...test.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Directory traversal in Eye-Fi Helper < 3.4.23
Directory traversal in Eye-Fi Helper < 3.4.23
=============================================
Author: Paul Johnston, paul.johnston@...test.co.uk
Company: Pentest Ltd, http://www.pentest.co.uk/
Date: 3 Jan 2013
URL: http://www.pentest.co.uk/documents/ptl-2013-01.html
Software: Eye-Fi Helper < 3.4.23
Vendor: http://www.eye.fi/
CVE: CVE-2011-4696
Overview
--------
An Eye-Fi card is a SD card with integrated WiFi, which can automatically
transfer photos to a computer over a wireless network. The Eye-Fi Helper
software runs on a Windows computer and receives the images. Pentest have
identified a security vulnerabilitiy in this software that makes it
possible
for a hacker to take control of the Windows computer.
The hacker does need access to the wireless network to exploit this, so the
attack is relevant in a scenario like a cafe, where the network is
shared. The
protocol has additional protection when used with an open hotspot, which has
not been investigated. Correct operation of the Eye-Fi card requires the
user
to allow the port through their firewall. However, the exploit only
works by
tampering with a legitimate connection; the software cannot be attacked
when
not in active use.
Technical details
-----------------
When the card sends an image to the helper, it actually sends a tar file
that
contains the image, and some optional supplemental information, such as
geolocation data. The card passes a "filesignature" to the helper, which
saves
the tar file in a location like:
C:\Documents and Settings\<user>\Local Settings\Application Data\Eye-Fi\
spool\delivery\<mac address>\<filesignature>
However, the file signature is not checked for special characters, so it
can be
set to something like:
../../../../../../Start Menu/Programs/Startup/payload.exe
Which will write it to:
C:\Documents and Settings\<user>\Start Menu\Programs\Startup\payload.exe
In this case, the next time the computer is started, the payload will be
executed.
To successfully exploit this relies on some other weaknesses in the
protocol
that the card and helper use to communicate. These weaknesses make it
possible
to perform a man-in-the-middle attack, and to tamper with the content of
files.
However, given the expected usage of the software, these weaknesses seem
acceptable.
Exploit
-------
We have produced a video demonstration of the exploit in action:
https://www.youtube.com/watch?v=vnBQCt7-f6k
The exploit script uses some interesting techniques, and is available on
our
web site:
http://www.pentest.co.uk/documents/eyepwn.zip
Solution
--------
Eye-Fi have released an update to Eye-Fi Helper (version 3.4.23), which
includes the fix. The release notes mention security improvements, but
do not
explicitly state that the update fixes a security flaw.
Beta version 3.4.18a also includes the fix - this information may be
particularly useful to scanning vendors.
--
Pentest - The Application Security Specialists
Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists