what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SeasonApps iTransfer 1.1 Script Insertion

SeasonApps iTransfer 1.1 Script Insertion
Posted Nov 7, 2014
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

SeasonApps iTransfer version 1.1 suffers from a persistent script insertion vulnerability.

tags | exploit
SHA-256 | 6de3ff0e2130dc46614a1f6f6ef6b0c725033d8a51f2fcc96c206afc0f31338a

SeasonApps iTransfer 1.1 Script Insertion

Change Mirror Download
Document Title:
===============
SeasonApps iTransfer 1.1 - Persistent UI Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1347


Release Date:
=============
2014-10-27


Vulnerability Laboratory ID (VL-ID):
====================================
1347


Common Vulnerability Scoring System:
====================================
2.5


Product & Service Introduction:
===============================
Do you want to access your PhotoLibrary`s file on the website? Do you want to transfer files from PC to iDevice easily and
read or send them every where? So the iTransfer will give all these to you.

1. You can get all photos and videos in the Photo Library of your device.
2. Wifi Sharing! These make our life more easy, Isn`t it?
3.A file box for you that you can store and get files on the document dictionary of the App. also you can manage the files via Wifi Sharing !
4. Supper File Manager, you can open files with document format as pdf,doc,ppt,txt,rtf,png,jpg… and media format as mp3,mp4 and so on.
5.Zip and Unzip which will make you manage your local files early.
6.You can share the files to your friend with email.
7. You can access the files on this app via USB and iTunes.
8.Support for iOS7
9.Add upload feature to Library sharing, you can upload image to your photo library now.
10.Add file manage feature to the Local Sharing, just like create dictionary and delete files(dictionary)
11.Add Authentication feature to he sharing feature, you can safe browse your sharing right now!
12.Add feedback feature, please give us your advice or your bug to us. thanks!

(Copy of the Homepage: https://itunes.apple.com/us/app/itransferpro-transfer-photos/id777151284 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official iTransferPro v1.1 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2014-10-27: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SeasonApps iTransfer
Product: iTransfer - iOS Mobile Web Application (Wifi) 1.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official SeasonApps iTransferPro v1.1 iOS mobile application.
The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module.

The vulnerability is located in the albumname value. Local attackers with low privileged device user accounts are able to manipulate the albumname
values by usage of the wifi sync function in the `Share Photo Library` module. The attack vector is persistent on the application-side and the request
method to inject is a app sync. The issue allows to stream persistent malicious script codes to the front site of the wifi photo library interface.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 2.5.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
[+] Sync

Vulnerable Module(s):
[+] Share Photo Library

Vulnerable Parameter(s):
[+] items - group (albumname)

Affected Module(s):
[+] Wifi Interface - Share Photo Library Index (https://localhost:8888/)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local attackers with low privileged device user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: Wifi Interface - Share Photo Library Index (https://localhost:8888/)

<html><head><meta name="viewport" content="width=device-width, initial-scale=1.0" http-equiv="Content-Type"><title>iTransfer</title><style>html
{background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-size:18x; margin-left:5%;
margin-right:5%; border:3px groove #006600; padding:15px; } </style></head><body><h2>Enjoy iTransfer</h2>
<bq>You Can Access Files of your Photo Library Now :)</bq><script type="text/javascript" src="/jquery.js"></script>
<script type="text/javascript" src="/fileuploader.js"></script> <link href="fileuploader.css" rel="stylesheet"
type="text/css"><p></p><div id="file-uploader-div"><div class="qq-uploader"><div style="display: none;" class="qq-upload-drop-area">
<span>drop files here to upload</span></div><div style="position: relative; overflow: hidden; direction: ltr;" class="qq-upload-button">upload a file
<input style="position: absolute; right: 0px; top: 0px; font-family: Arial; font-size: 118px; margin: 0px; padding: 0px; cursor: pointer; opacity: 0;"
name="file" multiple="multiple" type="file"></div><ul class="qq-upload-list"></ul></div></div><p></p><script language="javascript">
$(function(){ var uploader = new qq.FileUploader({
element:document.getElementById("file-uploader-div"),
action: "/",
debug: false,
allowedExtensions: ["jpg","png","JPG","PNG","bmp","BMP"],
template: '<div class="qq-uploader">' +
'<div class="qq-upload-drop-area"><span>drop files here to upload</span></div>' +
'<div class="qq-upload-button">upload a file</div>' +
'<ul class="qq-upload-list"></ul>' + '</div>', }); });
</script><br><label color="red"><font size="2" color="red">(Notice: The pictures you upload will appear when you share the photo library next time)</font></label>
<br><link href="/bootstrap.css" rel="stylesheet"> <script src="/bootstrap.min.js"></script><h3>All Groups</h3><ul class="thumbnails"><li class="span2">
<div class="thumbnail" style="text-align: center;">
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
<img src="7BADE58E-C286-43D8-8CE2-4415C4DF35CA.png" height="150" width="150">
<span stype="white-space: nowrap;">>>"<[PERSISTENT INJECTED SCRIPT CODE EXECUTION!] 1items</span></a></div>
<a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a></li><li class="span2"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><div class="thumbnail" style="text-align: center;"><a target="_blank" href="/group/7BADE58E-C286-43D8-8CE2-4415C4DF35CA">
</a><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
<img src="F8F7120B-9058-4B64-B6EF-59DB570F8872.png" height="150" width="150">
<span stype="white-space: nowrap;">Photos 3items</span>
</a></div><a target="_blank" href="/group/F8F7120B-9058-4B64-B6EF-59DB570F8872">
</a></li></ul></body></html>


Reference(s):
https://localhost:8888/
https://localhost:8888/group/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the foldername/albumname input fields.
Encode the input and parse the output of the name values in the wifi interface to prevent persistent script code executions.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the wifi interface is estimated as medium(-). (CVSS 2.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com




Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close