Mobile Atlas Creator 1.9.12 - Persistent Command Injection
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
Mobile Atlas Creator (formerly known as TrekBuddy Atlas Creator) is an open source (GPL) program which creates offline atlases
for GPS handhelds and cell phone applications like TrekBuddy, AndNav and other Android and WindowsCE based applications. For the
full list of supported applications please see the features section. Additionally individual maps can be exported as one large
PNG image with calibration MAP file for OziExplorer. As source for an offline atlas Mobile Atlas Creator can use a large number
of different online maps such as OpenStreetMap and other online map providers.
Abstract Advisory Information:
The Vulnerability Laboratory Security Team discovered a persistent vulnerability & local command path inject bug in the Mobile Atlas Creator 1.9.12 (2116) software.
Vulnerability Disclosure Timeline:
2013-05-02: Researcher Notification & Coordination (Ateeq Khan)
2013-05-03: Vendor Notification (MOB - Developer Team)
2013-05-03: Vendor Response/Feedback (MOB - Developer Team)
2013-05-29: Vendor Fix/Patch (MOB - Developer Team)
2013-06-11: Public Disclosure (Vulnerability Laboratory)
Product: Mobile Atlas Creator 1.9.12
Technical Details & Description:
Due to the fact that proper user input sanatization is not being performed, it is possible to inject user specified HTML code
within the Atlas Mobile Creator Application. Besides HTML Injection, Local Command Path Injecton is also Possible. Other
interesting behaviour includes that if you use you will get an exception error and application will
show you an error window. Upon further investigation, I was also able to load files from my local system where the
application is installed.
The bug exists in the Name FIeld while creating a New Atlas Map. A Malicious Attacker can save the script code as an Atlas Map
file and send it to unknown victims. This surely makes this bug very interesting. Please also note, I was able to cause multiple
types of exception errors while trying different payloads which means there is a possibility of multiple attack vectors through
the same vulnerable name field.
[+] Create New Map
Proof of Concept (PoC):
The vulnerability can be exploited by local attackers with low privilege system user account and low user interaction.
For demonstration or reproduce ...
Manually steps to reproduce ...
1) Install and open atlas software
2) In the menu, goto Atlas -> New Atlas
3) Use the following payload as the Atlas name >"