lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJB2Jztmhvj2hNxJJsciT8C7=y3Wdq382p9OwUQzaXrxv33O3g@mail.gmail.com>
Date: Tue, 21 Apr 2015 11:48:00 +0200
From: Mario Vilas <mvilas@...il.com>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability

This looks like a reflected XSS, not a code execution vulnerability as the
term is commonly understood.

On Tue, Apr 21, 2015 at 11:34 AM, Vulnerability Lab <
research@...nerability-lab.com> wrote:

> Document Title:
> ===============
> Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1444
>
>
> Release Date:
> =============
> 2015-03-10
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1444
>
>
> Common Vulnerability Scoring System:
> ====================================
> 8.6
>
>
> Product & Service Introduction:
> ===============================
> Do you have troubles for managing thousands of photos and videos? Do you
> have any private photos or videos? Are you looking for a photo portfolio
> app?
> Photo Manager Pro is exactly you are looking for. Photo Manager Pro is
> extremely easy to use. TP Transfer: Transfer folders and files between
> computer
> and device over wifi network. HTTP Transfer: Transfer files between
> computer and device over wifi network. View photos in the browser. Peer to
> Peer
> Transfer: Directly transfer files between iPad, iPhone and iPod Touch over
> wifi network. USB Transfer: Import/Export photos from/to iTunes file
> sharing.
> Basic Transfer: Import/Export photos from/to the Photos app.
>
> (Copy of the Vendor Homepage:
> https://itunes.apple.com/de/app/photo-manager-pro/id393858562 &
> http://www.linkusnow.com/photomanager/help/ipad/help_main.php )
>
>
> Abstract Advisory Information:
> ==============================
> The Vulnerability Laboratory Research Team discovered a code execution
> vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile
> web-application.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-03-10:     Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> Linkus
> Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Critical
>
>
> Technical Details & Description:
> ================================
> An arbitrary code execution vulnerability has been discovered in the
> official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
> The vulnerability allows remote attackers to execute malicious codes on
> the application-side of the vulnerable app to compromise the
> target mobile device.
>
> The vulnerability is located in the `folderName` value of the
> `newfolder.action` module. Remote attackers are able to manipulate the
> `folderName` value in the `index.html#?w=300` file POST method request to
> compromise the application, user session information or connected
> device components. The attacker tampers the new Folder POST method request
> to exchange the regular folderName value with special crafted code.
> The input context is becomes visible at the main index service or
> subfolder (path). The vector of the vulnerability is located on the
> application-side.
>
> The security risk of the arbitrary code execution vulnerability is
> estimated as high with a cvss (common vulnerability scoring system) count
> of 8.6.
> Exploitation of the arbitrary code execution vulnerability requires no
> user interaction or privileged web-application user account with password.
> Successful exploitation of the vulnerability results in session hijacking,
> persistent phishing, persistent external redirects and persistent
> manipulation function or connected module context.
>
> Request Method(s):
>                                 [+] [POST]
>
> Vulnerable Module(s):
>                                 [+] newfolder.action
>
> Vulnerable Parameter(s):
>                                 [+] folderName
>
> Affected Module(s):
>                                 [+] Index (http://localhost:8080)
>                                 [+] Sub Category Path
>
>
> Proof of Concept (PoC):
> =======================
> The code execution vulnerability can be exploited by remote attackers
> without privileged application user account or user interaction.
> For security demonstration or to reproduce the vulnerability follow the
> provided information and steps below to continue.
>
> PoC: Create Folder
>
> <div id="main"><div id="breadcrumb">Home</div>
> <div id="content"><ul id="folders_ul"><li><div class="folder_item_bg"><img
> src="images/blank.gif" class="blank"><a
> href="browse_folder.html?folderID=1"><img src="images/blank_thumbnail.png"
> height="86" width="80"></a></div><div class="folder_label"><a
> href="browse_folder.html?folderID=1">Family</a></div></li><li><div
> class="folder_item_bg"><img src="images/blank.gif" class="blank"><a
> href="browse_folder.html?folderID=2"><img src="images/blank_thumbnail.png"
> height="86" width="80"></a></div><div class="folder_label"><a
> href="browse_folder.html?folderID=2">Friends</a></div></li><li><div
> class="folder_item_bg"><img src="images/blank.gif" class="blank"><a
> href="browse_folder.html?folderID=3"><img src="images/blank_thumbnail.png"
> height="86" width="80"></a></div><div class="folder_label"><a
> href="browse_folder.html?folderID=3">Travel</a></div></li><li><div
> class="folder_item_bg"><img src="images/blank.gif" class="blank"><a
> href="browse_folder.html?folderID=4"><img src="images/blank_thumbnail.png"
> height="86" width="80"></a></div><div class="folder_label"><a
> href="browse_folder.html?folderID=4">Shopping</a></div></li><li><div
> class="folder_item_bg"><img src="images/blank.gif" class="blank"><a
> href="browse_folder.html?folderID=5"><img src="images/blank_thumbnail.png"
> height="86" width="80"></a></div><div class="folder_label"><a
> href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY
> VIA FOLDERNAME!]></a></div></iframe></a></div></li></ul></div>
>     </div>
>
> ... after surfing to the created folder
>
> <div id="wrapper">
>             <div id="header">
>                 <div id="title">
>                     <h1>Photo Manager Pro</h1>
>                 </div>
>             </div>
>             <div id="main">
>                 <div id="breadcrumb"><span id="breadcrumb_span"><a
> href="index.html">Home</a><label> > <a
> href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY
> VIA FOLDERNAME!]></a></label></x></a></label></span></div>
>                         <form id="download_form" action="download.action"
> method="post">
>                 <div id="content"><ul></ul></div>
>                         </form>
>             </div>
>
>
> PoC: Vulnerable Source
>       }
>
>       function createFolder() {
>         $.ajax({
>              type: 'POST',
>              url: 'newfolder.action',
>              cache: false,
>              dataType: 'json',
>                data: {folderName:$('#foldername').attr('value'),
> isSubfolder:$('#is_subfolder_hidden').attr('value'),
> parentFolderID:$('#parent_folder_hidden').attr('value')},
>              async: false,
>              success: function(result) {
>                 window.location.reload(false);
>             }
>         });
>       }
>   </script>
>
>
> --- Poc Session Logs [POST] (Inject) ---
> Status: 200[OK]
> POST http://localhost:8080/newfolder.action
> Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[23]
> Mime Type[application/x-unknown-content-type]
>    Request Header:
>       Host[localhost:8080]
>       User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0)
> Gecko/20100101 Firefox/35.0]
>       Accept[application/json, text/javascript, */*; q=0.01]
>       Accept-Language[de,en-US;q=0.7,en;q=0.3]
>       Accept-Encoding[gzip, deflate]
>       Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
>       X-Requested-With[XMLHttpRequest]
>       Referer[http://localhost:8080/index.html]
>       Content-Length[50]
>       Cookie[isenabledpasscode=false]
>       Connection[keep-alive]
>       Pragma[no-cache]
>       Cache-Control[no-cache]
>    POST-Daten:
>       folderName[*/-CODE EXECUTION VULNERABILITY!;]
>       isSubfolder[0]
>       parentFolderID[0]
>    Response Header:
>       Accept-Ranges[bytes]
>       Content-Length[23]
>       Date[Do., 05 März 2015 20:34:46 GMT]
>
> Status: 200[OK]
> GET http://localhost:8080/index.html
> Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ]
> Größe des Inhalts[9421] Mime Type[application/x-unknown-content-type]
>    Request Header:
>       Host[localhost:8080]
>       User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0)
> Gecko/20100101 Firefox/35.0]
>
> Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
>       Accept-Language[de,en-US;q=0.7,en;q=0.3]
>       Accept-Encoding[gzip, deflate]
>       Referer[http://localhost:8080/browse_folder.html?folderID=6]
>       Cookie[isenabledpasscode=false]
>       Connection[keep-alive]
>       Cache-Control[max-age=0]
>    Response Header:
>       Accept-Ranges[bytes]
>       Content-Length[9421]
>       Date[Do., 05 März 2015 20:34:46 GMT]
>
> Status: 200[OK]
> GET http://localhost:8080/javascript/linkus.js
> Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[397] Mime
> Type[application/x-unknown-content-type]
>    Request Header:
>       Host[localhost:8080]
>       User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0)
> Gecko/20100101 Firefox/35.0]
>       Accept[*/*]
>       Accept-Language[de,en-US;q=0.7,en;q=0.3]
>       Accept-Encoding[gzip, deflate]
>       Referer[http://localhost:8080/index.html]
>       Cookie[isenabledpasscode=false]
>       Connection[keep-alive]
>       Cache-Control[max-age=0]
>    Response Header:
>       Accept-Ranges[bytes]
>       Content-Length[397]
>       Date[Do., 05 März 2015 20:34:46 GMT]
>
>
>
> Reference(s):
> http://localhost:8080/index.html
> http://localhost:8080/newfolder.action
> http://localhost:8080/index.html#?w=300
> http://localhost:8080/browse_folder.html?folderID=5
>
>
> Solution - Fix & Patch:
> =======================
> The vulnerability can be patched by a secure parse and encode of the
> vulnerable folderName value. Restrict the input and filter the context by
> usage of a own exception to
> prevent the application-side code execution.
>
>
> Security Risk:
> ==============
> The security risk of the code execution vulnerability in the photo manager
> wifi service is estimated as high. (CVSS 8.6)
>
>
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (
> bkm@...lution-sec.com) [www.vulnerability-lab.com]
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability Lab disclaims all warranties, either expressed
> or implied, including the warranties of merchantability and capability for
> a particular purpose. Vulnerability-Lab or its suppliers are not liable
> in any case of damage, including direct, indirect, incidental,
> consequential loss of business profits or special damages, even if
> Vulnerability-Lab
> or its suppliers have been advised of the possibility of such damages.
> Some states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation may not
> apply. We do not approve or encourage anybody to break any vendor licenses,
> policies, deface websites, hack into databases or trade with fraud/stolen
> material.
>
> Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
>                               - www.evolution-sec.com
> Contact:    admin@...nerability-lab.com         -
> research@...nerability-lab.com                        -
> admin@...lution-sec.com
> Section:    magazine.vulnerability-db.com       -
> vulnerability-lab.com/contact.php                     -
> evolution-sec.com/contact
> Social:     twitter.com/#!/vuln_lab             -
> facebook.com/VulnerabilityLab                         -
> youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   -
> vulnerability-lab.com/rss/rss_upcoming.php            -
> vulnerability-lab.com/rss/rss_news.php
> Programs:   vulnerability-lab.com/submit.php    -
> vulnerability-lab.com/list-of-bug-bounty-programs.php -
> vulnerability-lab.com/register/
>
> Any modified copy or reproduction, including partially usages, of this
> file requires authorization from Vulnerability Laboratory. Permission to
> electronically redistribute this alert in its unmodified form is granted.
> All other rights, including the use of other media, are reserved by
> Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
> advisories, source code, videos and other information on this website
> is trademark of vulnerability-lab team & the specific authors or managers.
> To record, list (feed), modify, use or edit our material contact
> (admin@...nerability-lab.com or research@...nerability-lab.com) to get a
> permission.
>
>                                 Copyright © 2015 | Vulnerability
> Laboratory - [Evolution Security GmbH]™
>
>
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> CONTACT: research@...nerability-lab.com
> PGP KEY:
> http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
>
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/




-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ