Title:
======
Wifi Photo Transfer 2.1 & 1.1 PRO - Multiple Vulnerabilities


Date:
=====
2013-04-21


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=932


VL-ID:
=====
932


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Easily access your photo libraries via wifi from any computer with a web browser! Just start the app and enter the 
displayed address into the address bar of your browser. Works with any computer that has a modern browser (like desktop 
or portable computers, iPads, or even an other iPhone) and is on the same wifi network as your phone, iPod or iPad.

- You can select and transfer multiple photos at once
- EXIF metadata is retained in mass-download mode (not in one-by-one mode)
- Optional password protection for the web interface
- Can also be used to download videos
- Transfer in full resolution or scaled down
- No extra software required

(Copy of the Homepage: #1  https://itunes.apple.com/de/app/wifi-photo-transfer-pro/id587468262)
(Copy of the Homepage: #2  https://itunes.apple.com/de/app/wifi-photo-transfer/id380326191)



Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.


Report-Timeline:
================
2013-04-22:	Public Disclosure


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Wifi Photo Transfer 2.1 & 1.1 Pro


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A local command injection web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone. 
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.

The vulnerbility is located in the index module when processing to load the ipad or iphone device album names. Local attackers can 
change the ipad or iphone device photo album names to system specific commands and file requests to provoke the execution when 
processing to watch the main index listing. The execution of the script code occurs in the album name web context.

Exploitation of the web vulnerability does not require an application user account (standard) or user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.


Vulnerable Application(s):
				[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Index

Vulnerable Parameter(s):
				[+] album name - iPad or iPone

Affected Module(s):
				[+] Index Listing - Album



1.2
A local file include and arbitrary file upload vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone. 
The vulnerability allows remote attackers via POST method to include unauthorized remote files on the affected webserver file system.

Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (pentest.php.js.gif) when processing to 
upload via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the 
secound step by usage of the directory webserver dir listing to compromise the apple iphone or ipad.

Exploitation of the local file include web vulnerability does not require user interaction and also no application user account. 
Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file 
include or unauthorized web-server file (webshell) upload attacks.


Vulnerable Application(s):
				[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Compressing archiv to zip

Vulnerable Parameter(s):
				[+] lib  (cat)
				[+] sel  (selection)

Affected Module(s):
				[+] File Dir Album Index - Listing




1.3
An information disclosure and information leak misconfiguration is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The reported vulnerability allows remote attackers to access unauthorized web-server photos or web-server files by exploitation of a misconfiguration.

The secound vulnerability is located in the upload file script of the webserver (http://localhost:2323/) when processing to download with 
a manipulated POST method request all available path files. The attacker can manipulate the lib and sel values in the POST request to download 
unauthorized not accessable photo files. After the iphone or ipad user allowed one time to access the iOS photo service anybody can also 
access not implemented files from the same service folder.

Exploitation of the information disclosure web vulnerability does not require user interaction or an application user account. 
Successful exploitation of the information disclosure app vulnerability results in unauthorized photo and webserver file access.


Vulnerable Application(s):
				[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] compressprogress

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] zipdownload




1.4
A client side cross site scripting web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.
The vulnerability allows remote attackers to form manipulated urls to inject script code on client side application requests.

The client side cross site scripting web vulnerability is located in the path section when processing to request the images via GET with a 
manipulated filename (value) parameter. The vulnerability occurs when a remote attacker is changing the requested file to own script code. 
The request will be executed on client side of the victims browser. The app displays any non existing path with a file request without secure 
encoding which results in the execution of the script code out of the exception error message.

Exploitation of the vulnerability does not require an application user account but low or medium user interaction.
Successful exploitation results in client side cross site requests, unauthorized external redirects, client side phishing, 
client side session hijacking and client side module context manipulation.

Vulnerable Application(s):
				[+] Wifi Photo Transfer 2.1 & 1.1 Pro - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Path Folder

Vulnerable Parameter(s):
				[+] filename (*.html)



Proof of Concept:
=================
1.1
The local command injection web vulnerability can be exploited by remote attackers without an application user account 
and without user interaction. For demonstration or reproduce ...

Manually steps to reproduce ... Command Inject via Foldername

1. Install the application from itunes or directly from the appstore
2. Open the service and make the webserver available via http
3. Now open for example your iphone or ipad device to sync
4. Open on your device the standard albums in photos
5. Change the name of one of your standard album to a path command inject string
6. Open another device and access the index listing of the application after the album sync
7. The code will be executed out of the main album name listing
8. Successful reproduced ...!


PoC: List of image libraries.htm
     
<div class="span5" style="position:absolute;top:50%;margin-top:-10px;">
<div style="margin-left:30px;"><a href="http://192.168.2.104:2323/1/" 
style="font-size:18px;font-weight:bold;">>%20>"<[<COMMAND/PATH INJECTION>]"List%20of%20image%20libraries_files/x.htm">
<><>>%20>"<[<COMMAND/PATH INJECTION>]></a></div>
</div>
<div class="span3" style="text-align:center;">                      
<img class="thumbnail" src="/1/tn_0.jpg" 
alt="" style="max-width:150px;max-height:150px;"/>



1.2
The local file web vulnerability can be exploited by remote attackers without an application user account 
and also without user interaction. For demonstration or reproduce ...

Manually steps to reproduce ... File Include Vulnerability

1.  Start your session tamper tool or wireshark on your computer
2.  Install the application on the ipad or iphone device
3.  Start to tamper the http session or filter the http pakets via wireshark
4.  Start the application on your ipad or iphone
5.  Open with a external device (computer > browser) the application
6.  Now process to upload via form a image and hold a request via tamper or record the paket for a secound request
7.  Include atfer choosing a random image a webshell and include (upload) it with a double or tripple (*.php.jpg.gif or *.html.gif) extension
8.  After the upload you only need to refresh the album index and try to request via selection and lib parameter the file
9.  The webshell got unauthorized uploaded and is accessable to compromise the device or app
10. Successful reproduced!

--- POST REQUEST METHOD ---
lib[2]
       >  sel[0,1,2,3,4,5,6,7,8,9]   > (Selection Page)



1.3
The information disclosure misconfiguration bug can be exploited by remote attackers without an  application user account 
and without user interaction. For demonstration or reproduce ...

Manually steps to reproduce ... Information Disclosure Misconfiguration

1.  Start your session tamper tool or wireshark on your computer
2.  Install the application on the ipad or iphone device
3.  Start to tamper the http session or filter the http pakets via wireshark
4.  Start the application on your ipad or iphone
5.  Open with a external device (computer > browser) the application
6.  Press Download zip compressed (http://localhost:2323/startcompressing)
7.  Hold the secound request after the lib and sel POST values has been requested
8.  Watch the content of the request and exchange the images the service requested with the images you want to request (example DIM2736.jpg)
9.  The images you included will be loaded in the zip compressed folder even if the selection was another one
10. Successful reproduced ... the attacker can now access the images by using the vulnerable iOS app

Compressing archive to zip (http://localhost:2323/startcompressing)


Reference(s):
http://localhost:2323/compressprogress5343040?KXVLHQUDKOURRJHC
http://localhost:2323/zipdownload/KXVLHQUDKOURRJHC/images.zip



1.4
The client side cross site scripting web vulnerability can be exploited by remote attackers without an application user account 
and with medium or high required user interaction. For demonstration or reproduce ...

PoC:
http://localhost:2323/1/tester23/vulnerabilitylab.html%3E%22%3Ciframe%20src=a%3E#7062267329013816800


Risk:
=====
1.1
The security risk of the local command injection web vulnerability is estimated as high(-).

1.2
The security risk of the file include / arbitrary file upload vulnerability is estimated as high(+).

1.3
The security risk of the information disclosure misconfiguration bug is estimated as medium.

1.4
The security risk of the client side cross site scripting web vulnerability is estimated as low(+).


Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com