Document Title: =============== iPassword Manager v2.6 iOS - Persistent Vulnerabilities References (Source): ==================== Release Date: ============= 2015-04-21 Vulnerability Laboratory ID (VL-ID): ==================================== 1455 Common Vulnerability Scoring System: ==================================== 3.7 Product & Service Introduction: =============================== iPassword can securely store your important information and can automatically log you into websites with a single tap. There`s no need to remember the usernames, passwords, or even the website addresses. Join to iPassword today. Your digital life will be in comfort and safe with it. (Copy of the Vendor Homepage: ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official iPassword Free Manager v2.6 iOS web-application. Vulnerability Disclosure Timeline: ================================== 2015-04-21: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Free Secure App Manager Product: iPassword Free Manager - iOS Mobile Web Application 2.6 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ Multiple application-side input validation web vulnerabilities has been discovered in the official iPassword v2.6 iOS web-application. The vulnerability allows local and remote attackers to inject own script code on the application-side of the affected mobile web-application. The security vulnerability is located in the `password` and `name` values of the send by email function. The service does not encode the input of the password or the stored entries. Users are able to send the stored data by mail. The encoding of the send by mail function is broken and allows execution of malicious script codes. The attackers saved a database entry with malicious code or exchanges an entry by mail. In the moment he converts the stored string of the input, the filter mechanism encodes wring and executes the code. In the second instance the code executes on arrival of the send app mail. The issue is located in the send password by email function and in the main send by mail function. The attack vector is located on the application-side and the request method to inject is db sharing (send email) or by local interaction. The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the persistent web vulnerability requires a privileged ipassword application user account and low user interaction. Successful exploitation of the persistent web vulnerability results in mobile application compromise or connected device component compromise. Request Method(s): [+] [Sync] Vulnerable Module(s): [+] iPassword - Password Input [+] Wallet Entries Input (Name) Vulnerable Parameter(s): [+] password [+] name Affected Module(s): [+] Local Mail Service App [+] Remote Mail (Outgoing) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local and remote attackers with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the iPassword Manager app ( 2. Start the software Note: Now the software asks a first time for a password 3. Inject your payload twice to the password input and press ok Note: Now the software asks to send your password by mail 4. Click ok to send the data by mail 5. Now the first script code execution occurs in the mail body context 6. We continue and surf back in the app to add a new contact 7. Include to the contact name own script code and save the input 8. Click the send by mail button. 9. Review the arrived mail in the inbox 10. The script code execution occurs in the main body context of the mail 11. Successful reproduce of both vulnerabilities! PoC: Contact > Send Mail Send by Mail Function
Betreff: Data41
Von: VLab
Datum: 21.04.2015 12:49