lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 17 Jul 2015 13:35:46 -0300
From: Douglas Held <dougheld@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
	"bkm@...lution-sec.com" <bkm@...lution-sec.com>
Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability

Benjamin,

What is an androidios device account? Is that a typo? And does the default "mobile/alpine" user account suffice?

It isn't clear to me whether the iOS device needs to be jailbroken for this exploit to work. The 

--
Douglas Held
doug@...glasheld.net via dougheld@...il.com
Note: Sent from a device that occasionally respells and replaces words

> On 17 Jul 2015, at 10:08, fulldisclosure-request@...lists.org wrote:
> 
> 
> Message: 8
> Date: Fri, 17 Jul 2015 15:04:22 +0200
> From: Vulnerability Lab <research@...nerability-lab.com>
> To: fulldisclosure@...lists.org
> Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
> Message-ID: <55A8FD56.1060202@...nerability-lab.com>
> Content-Type: text/plain; charset=utf-8
> 
> Document Title:
> ===============
> UDID+ v2.5 iOS - Mail Command Inject Vulnerability
> 
> 
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1542
> 
> 
> Release Date:
> =============
> 2015-07-06
> 
> 
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1542
> 
> 
> Common Vulnerability Scoring System:
> ====================================
> 5.7
> 
> 
> Product & Service Introduction:
> ===============================
> UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and other information of your iOS device. It works on iPod touches, 
> iPhones and iPads allows you to either email the UDID to someone, or to copy it. The UDID is used by developers so they can add your device 
> to their Ad Hoc distribution profiles. This allows them to create a special version of their apps that can be run on your device outside of 
> the normal App Store distribution channels. Ad Hoc distribution is perfect for beta testing as well as for small in-house projects with an 
> limited distribution group, of up to 100 devices.
> 
> (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/udid+/id385936840 )
> 
> 
> Abstract Advisory Information:
> ==============================
> The Vulnerability Laboratory Core Research Team discovered an application-side command inject web vulnerability in the official UDID+ v2.5 iOS mobile web-application.
> 
> 
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-07-06:    Public Disclosure (Vulnerability Laboratory)
> 
> 
> Discovery Status:
> =================
> Published
> 
> 
> Affected Product(s):
> ====================
> EMonster Inc.
> Product: UDID+ - iOS Mobile Web Application 2.5
> 
> 
> Exploitation Technique:
> =======================
> Local
> 
> 
> Severity Level:
> ===============
> Medium
> 
> 
> Technical Details & Description:
> ================================
> A local command inject web vulnerability has been discovered in the official UDID+ v2.5 iOS mobile web-application.
> The vulnerability allows to inject malicious script codes to the application-side of the vulnerable iOS mobile app.
> 
> The vulnerability is located in the device name value of the send by mail function. Local attackers are able to 
> manipulate the name value of the device to compromise the mail function of the udid+ mobile app. The html encoding 
> is broken in the send by mail export function. Local attackers are able to manipulate the device name id to compromise 
> the application internal validation via send by email. The attack vector of the vulnerability is server-side and the 
> injection point is the device name information settings.
> 
> The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability 
> scoring system) count of 5.7. Exploitation of the commandpath inject vulnerability requires a low privilege androidios 
> device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in 
> unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS 
> application and connected device components.
> 
> Vulnerable Module(s)
>                [+] Device - Settings - Information
> 
> Vulnerable Parameter(s)
>                [+] device cell name (cid)
> 
> Affected Module(s)
>                [+] UDID+ - Mail
> 
> 
> Proof of Concept (PoC):
> =======================
> The application-side validation web vulnerability can be exploited by local attackers with low privilege or restricted device user account and without user interaction.
> For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
> 
> PoC: UDID+ Send Mail
> 
> <html><head><title>UDID+</title>
> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
> </head><body>
> <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1">
> <tr><td><b>Betreff: </b>UDID+</td></tr><tr><td><b>Von: </b>Benjamin Mejri Kunz <vulnerabilitylab@...oud.com></td></tr>
> <tr><td><b>Datum: </b>28.06.2015 20:49</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2">
> <tr><td><b>An: </b>aki <bkm@...lution-sec.com></td></tr></table><br>
> <html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div>Here is my device information.<br><br>
> <b>UDID:</b> FFFFFFFFC63FF684821B430C91F7F41D4D8A2F3A<br>
> <b>Device Name:</b> bkm337>" src="cid:">%20<./[LOCAL FILE INCLUDE VULNERABILITY VIA DEVICE CELL NAME VALUE!]
> <b>System Name:</b> iPhone OS<br />
> <b>System Version:</b> 8.3<br />
> <b>Platform:</b> iPad 3G WiFi<br />
> <b>Hardware Model:</b> P101AP<br />
> <b>Processors:</b> 2<br />
> <b>CPU Frequency:</b> 0 Hz<br />
> <b>Bus Frequency:</b> 0 Hz<br />
> <b>Physical Memory:</b> 1 GB<br />
> <b>Non-Kernel Memory:</b> 809,21 MB<br />
> <b>Model:</b> iPad<br />
> <b>Localized Model:</b> iPad<br />
> <b>Language:</b> de<br />
> <b>Locale:</b> de_DE<br />
> <b>Capacity:</b> 32 GB<br />
> <b>Formatted:</b> 27,19 GB<br />
> <b>Used:</b> 26,38 GB<br />
> <b>Free:</b> 825,48 MB<br />
> <b>Battery State:</b> Unplugged<br />
> <b>Battery Level:</b> 65 %<br />
> <b>Local IP:</b> 192.168.2.104<br />
> <b>MAC Address:</b> 02:00:00:00:00:00<br />
> <br />
> <a href="<a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=385936840">http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware
> ?id=385936840</a>">Download</a> UDID+ for iPod touch, iPhone, iPad and iPad mini.<br />
> <br />
> This email was sent using UDID+ version 2.5 by emonster k.k.<br />
> For more information please visit our website <a href='<a href="http://www.emonster.com/'">http://www.emonster.com/'</a>>
> <a href="http://www.emonster.com">www.emonster.com</a></a><br /></iframe></div><div></div></body></html>
> </body>
> </html>
> 
> 
> Solution - Fix & Patch:
> =======================
> The vulnerability can be patched by a secure parse and encode of the vulnerable device cell name output value.
> Restrict the input and disallow usage of special chars next to sending the data by mail to the own account.
> 
> 
> Security Risk:
> ==============
> The security risk of the local command inject web vulnerability in the UDID+ app is estimated as medium. (CVSS 5.7)
> 
> 
> Credits & Authors:
> ==================
> Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@...lution-sec.com) [www.vulnerability-lab.com]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists