Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities
2013-02-11 13:05:57Title:
======
Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities
Date:
=====
2013-02-08
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=850
VL-ID:
=====
850
Common Vulnerability Scoring System:
====================================
8.3
Introduction:
=============
HTTP File Sharing with web interface, USB Drive loader, File Upload & Download.
Support ALL Major File formats and Folder
HTTP Wireless File Sharing
Web Authentication
Wireless Sharing your Photos from system Photos Album
Wireless Sharing videos (Playing with URL files)
Web Upload & Download File Support
File Manager (Delete & View)
iTunes File Sync
App Lock Password
HTTP Sharing Password Access
Support All Office formats and others: .txt .pdf .html .mp3 .mov, ...
(Copy of the Homepage: https://itunes.apple.com/us/app/air-disk-free-wireless-http/id444063740 )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone.
Report-Timeline:
================
2013-02-08: Public Disclosure
Status:
========
Published
Affected Products:
==================
Apple AppStore
Product: Air Disk Wireless HTTP File Sharing Application - (iPad & iPhone) 1.9
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
1.1
A local file include web vulnerability via POST request method is detected in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone.
The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files.
The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10:8988/) when processing to load a manipulated
filename via POST. The execution of the injected path or file request will occur when the attacker is opening the main index file dir listing.
Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction.
Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack.
Vulnerable Application(s):
[+] Air Disk v1.9 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Air Disk Index - (Filename) Listing
1.2
A local command injection web vulnerability is detected in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone.
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application.
The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can change the
ipad or iphone device name to system specific commands and file requests to provoke the execution when processing to watch the index listing.
Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.
Vulnerable Application(s):
[+] Air Disk v1.9 - ITunes or AppStore (Apple)
Vulnerable Module(s):
[+] Index
Vulnerable Parameter(s):
[+] device name - iPad or iPone
Affected Module(s):
[+] Air Disk Index - (Device Name) Listing
Proof of Concept:
=================
1.1
The file include vulnerability can be exploited by remote attackers without required user interaction or privileged application user account.
For demonstration or reproduce ...
PoC:
http://192.168.0.10:8988/%20../var/../../../[File]
Review: Air Disk Index - (Filename) Listing
<table id="table1" border="0" cellpadding="1" cellspacing="2" width="741"><tbody><tr>
<td style="width:461px;background-color:#ebebeb;">
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.