Thursday, May 7, 2015

[FD] Album Streamer v2.0 iOS - Directory Traversal Vulnerability

Document Title: =============== Album Streamer v2.0 iOS - Directory Traversal Vulnerability References (Source): ==================== http://ift.tt/1KNZj2Q Release Date: ============= 2015-05-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1481 Common Vulnerability Scoring System: ==================================== 6.6 Product & Service Introduction: =============================== 1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and Videos to your computer. It takes only single tap to stream and download all/selected photos or videos. You can even view or play slide show of all your photos directly on the computer without downloading. (Copy of the Homepage: http://ift.tt/1IRJpp8 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Spider Talk Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application. The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the mobile application or apple iOS device. The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and the request method to execute is GET (client-side). The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise Request Method(s): [+] GET Vulnerable Module(s): [+] photoDownload Vulnerable Parameter(s): [+] id Affected Module(s): [+] photoDownload Item Index Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc Vulnerable Source(s): localhost/photoDownload