iFileExplorer 6.51 File Inclusion

36   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1284
CVE编号:
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-10-28
CVSS
CVSS值: -
严重级别: 中危
利用范围: -
攻击复杂度: -
认证级别: -
漏洞描述

WLB-2014100165[***]http://cxsecurity.com/issue/WLB-2014100165[***]Bug: iFileExplorer 6.51 File Inclusion ( Ascii Version )[***]iFileExplorer 6.51 File Inclusion[***]2014.10.28[***]Vulnerability Laboratory[***]Medium[***]N/A [***]N/A ( Add )@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** </form>[***]No[***]Yes[***][***][***][***][***][***][***][***][***] Document Title:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ===============@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** iFileExplorer v6.51 iOS - File Include Web Vulnerability@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** References (Source):@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ====================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** http://www.vulnerability-lab.com/get_content.php?id=1345@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Release Date:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** =============@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 2014-10-22@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vulnerability Laboratory ID (VL-ID):@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ====================================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 1345@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Common Vulnerability Scoring System:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ====================================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 5.4@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Product &amp; Service Introduction:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ===============================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Do you find it frustrating not being able to use your iPhone to freely transfer files? Would you like to be able to view@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** your @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** documents and pictures more easily? Are there some files youa€?d prefer to keep private? Do you want to upload videos or@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** music @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** to your iPhone via WIFI? iFileExplorer can help you solve these problems! It can transform your iPhone into a file@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** manager, @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** enabling you to view all your files on your iPhone!@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** (Copy of the Homepage: https://itunes.apple.com/us/app/ifileexplorer/id355253462 )@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Abstract Advisory Information:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ==============================@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** The Vulnerability Laboratory Research team discovered a local file include web vulnerability via sync in the official@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** iFileExplorer v6.51 iOS mobile application.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Vulner

POC

Document Title: =============== iFileExplorer v6.51 iOS - File Include Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1345 Release Date: ============= 2014-10-22 Vulnerability Laboratory ID (VL-ID): ==================================== 1345 Common Vulnerability Scoring System: ==================================== 5.4 Product &amp; Service Introduction: =============================== Do you find it frustrating not being able to use your iPhone to freely transfer files? Would you like to be able to view your documents and pictures more easily? Are there some files youa€?d prefer to keep private? Do you want to upload videos or music to your iPhone via WIFI? iFileExplorer can help you solve these problems! It can transform your iPhone into a file manager, enabling you to view all your files on your iPhone! (Copy of the Homepage: https://itunes.apple.com/us/app/ifileexplorer/id355253462 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a local file include web vulnerability via sync in the official iFileExplorer v6.51 iOS mobile application. Vulnerability Disclosure Timeline: ================================== 2014-10-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== ColorfulPhone Product: iFileExplorer - iOS Mobile Web Application 6.51 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details &amp; Description: ================================ A local file include web vulnerability has been discovered in the official iFileExplorer v6.51 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the foldername and filename values if the wifi interface module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context on add of a folders or files. Local attacker are able to manipulate the input of the files and folder to exploit the issue by the sync method of the web-application. The execution of &amp;#195;&amp;#186;nauthorized local file or path request occurs in the index file dir listing module of the ifileexplorer application. The request method to inject is sync and the attack vector is located on the application-side of the affected service. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1. Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise. Vulnerable Method(s): [+] [Sync] Vulnerable Module(s): [+] Add Function &amp; Rename Vulnerable Parameter(s): [+] foldername [+] filename Affected Module(s): [+] iFileExplorer Wifi Interface - Path Dir Listing Proof of Concept (PoC): ======================= The local file include web vulnerability can be exploited by local attackers with low privileged application user account without user interaction by a sync. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Install the ios app and start the app after the install (https://itunes.apple.com/us/app/ifileexplorer/id355253462) 2. Open the wifi symbole in the first app sidebar category 3. Inject your own payload by usage of the `my files` section Note: Include as Filename or Foldername your own payload to unauhtorized request the local file or device path 4. Sync after the add and open the wifi web interface of the application 5. The local index of the interface requests the path listing unauthorized the file- and foldername 6. Successful reproduce of the local security vulnerability! P