Document Title: =============== Air Disk Wireless 1.9 iPad iPhone - Multiple Vulnerabilities Date: ===== 2013-02-07 References: =========== http://www.vulnerability-lab.com/get_content.php?id=850 VL-ID: ===== 850 Common Vulnerability Scoring System: ==================================== 8.3 Introduction: ============= HTTP File Sharing with web interface, USB Drive loader, File Upload & Download. Support ALL Major File formats and Folder HTTP Wireless File Sharing Web Authentication Wireless Sharing your Photos from system Photos Album Wireless Sharing videos (Playing with URL files) Web Upload & Download File Support File Manager (Delete & View) iTunes File Sync App Lock Password HTTP Sharing Password Access Support All Office formats and others: .txt .pdf .html .mp3 .mov, ... (Copy of the Homepage: https://itunes.apple.com/us/app/air-disk-free-wireless-http/id444063740 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-08: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: Air Disk Wireless HTTP File Sharing Application - (iPad & iPhone) v1.9 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A local file include web vulnerability via POST request method is detected in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://192.168.0.10:8988/) when processing to load a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is opening the main index file dir listing. Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction. Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] Air Disk v1.9 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Air Disk Index - (Filename) Listing 1.2 A local command injection web vulnerability is detected in the Air Disk Wireless HTTP File Sharing app for the apple ipad & iphone. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application. The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can change the ipad or iphone device name to system specific commands and file requests to provoke the execution when processing to watch the index listing. Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests. Vulnerable Application(s): [+] Air Disk v1.9 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index Vulnerable Parameter(s): [+] device name - iPad or iPone Affected Module(s): [+] Air Disk Index - (Device Name) Listing Proof of Concept: ================= 1.1 The file include vulnerability can be exploited by remote attackers without required user interaction or privileged application user account. For demonstration or reproduce ... PoC: http://192.168.0.10:8988/%20../var/../../../[File] Review: Air Disk Index - (Filename) Listing
Storage Usage: 20439 MB Available. 8200 MB Used. Total: 27 GB.