Document Title: =============== OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities References (Source): ==================== http://ift.tt/1H2PZEu Release Date: ============= 2015-05-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1493 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos. Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file. (Copy of the Vendor Homepage: http://ift.tt/1Hc2z4r & http://ift.tt/1AfrU0f ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-05-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Balaji Rajan Product: OYO File Manager - iOS & Android 1.1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 Local File Include Vulnerability A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application. The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function. Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious attack requests. The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] upload (GCDWebUploader) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing (http://localhost:8080/) 1.2 Local Command Injection Vulnerability A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application. The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync. The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account. Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes. The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6. Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application or the connected device components. Request Method(s): [+] [SYNC] Vulnerable Module(s): [+] Path Listing Vulnerable Parameter(s): [+] devicename 1.3 Remote Path Traversal Vulnerability A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application. The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device. The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction. The attack vector is located on the application-side of the service and the request method to execute is GET (client-side). The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction. Successful exploitation of the vulnerability results in mobile application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] open [+] list Vulnerable Parameter(s): [+] path Affected Module(s): [+] Index File Dir Listing (http://localhost:8080/) Proof of Concept (PoC): ======================= 1.1 The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the interface 2. Start a session tamper 3. Upload a reandom file 4. Change in the upload POST method request the vulnerable filename to a local file variable Note: The website reloads 5. The execution occurs in the main file dir index were the upload has been replaced 6. Successful reproduce of the mobile web vulnerability!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment