Document Title: =============== AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2203 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2203 Common Vulnerability Scoring System: ==================================== 4.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== File sharing with other iOS devices via Bluetooth or Wi-Fi connection with automatic search of nearest devices. Users can perform file operations on the application like: Copy, Move, Zip, Unzip, Rename, Delete, Email, and more. Easy to create file like: Text File, New folder, Playlist, Take Photo/Video, Import From Library, and Voice Record. AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or PC over the Wi-Fi network and transfer files by drag & drop files straight from the Finder or Windows Explorer. AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most of the file operations: like delete, move, copy, email, share, zip, unzip and more. (Copy of the Homepage: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) (Copy of the Homepage: http://www.app2pro.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile application. Affected Product(s): ==================== Felix Yew Product: AirDisk Pro v5.5.3 (iOS) Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site scripting vulnerability has been discovered in the official SuperBackup v2.0.5 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The first vulnerability is located in the `createFolder` parameter of the `Create Folder` function. Attackers are able to name or rename paths via airdisk pro ui to malicious persistent script codes. Thus allows to execute the persistent injected script code on the front site of the path index listing in the content itself on each refresh. The request method to inject is POST and the attack vector is located on the application-side. Interaction to exploit is as well possible through the unauthenticated started ftp service on the local network. The second vulnerability is located in the `deleteFile` parameter of the `Delete` function. The output location with the popup that asks for permission to delete, allows to execute the script code. The injection point is the file parameter and the execution point occurs in the visible delete popup with the permission question. The request method to inject is POST and the attack vector is located on the application-side. The third web vulnerability is located in the `devicename` parameter that is displayed on the top next to the airdisk pro ui logo. Remote attackers are able to inject own malicious persistent script code by manipulation of the local apple devicename information. The injection point is the devicename information and the execution point occurs in the file sharing ui panel of the airdisk pro mobile web-application. Remote attackers are able to inject own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is persistent and the request method to inject/execute is POST. The vulnerabilities are classic client-side cross site scripting vulnerabilities. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] AirDisk pro Wifi UI Vulnerable Parameter(s): [+] createFolder [+] deleteFile [+] devicename Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with wifi access with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1. Create Folder PoC: Vulnerable Source
test11 Apr 2020 at 12:35Folder   test>"