Advisory #: 89
Title: Unauthenticated Remote File Upload via HTTP for perl-Programming language 1.6 on iOS
Author: Larry W. Cashdollar, @_larry0
Date: 2013-08-01
Download Site:
Vendor: XiaoWen Huang
Vendor Notified: 2013-08-01
Vendor Contact:
Description: This is an ios perl app,you can learn,run,share perl script. Features : Autocomplate. Auto Indent. Code color. In (the built-in browser or the txt editor), Select the text to run. Horizontal screen development. Code templates, the contents of the new file is copy from contents of the template file. You can enter perl code by keyboard or two-dimensional code, and then you can execut the perl code,support the gets function. You can adjust the code color and font size, and support to move the cursor left and right and up and down , easy to read and write. You can upload learning materials to the local on the computer via wifi, support http and ftp two upload ways. The file system supports txt, pdf, chm, mp3,m4v,zip, gif, png, html, rb, doc ... You can find learning materials by the built-in browser. You can save perl code and learning materials, and can be modified to the save file and delete the save file . You can control the background image and color, and execution voice, background animation, text color and shadow, switch interface animation, the number and the order of the main interface of the tab bar to create your learning software. You can Learn perl knowledge, the system provides some basic learning materials. You can use perl code or learning materials to generate two-dimensional code , for easy sharing . You can share code by Email,Weibo,Twitter,Facebook. You can use the counter,light in the Setting tab.
'iOSftp' & HTTP unauthenticated file uploads. The application is sandboxed, but any remote user can read/write to the device's storage. The uploaded content is served out of the HTTP servers directory. While the HTTP server doesn't process server-side scripts it is possible to upload and serve malicious/illegal content. I would think it's also possible to fill up the device's storage as well but did not test it. larry$ ftp 10000 Connected to 220 iosFtp server ready. Name ( anyone 331 Password required for anyone Password: 230 User anyone logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd Remote directory: /private/var/mobile/Applications/311BCF0D-B9D8-4DC0-BE4C-2EC0887EE2CE/Documents/ftp * ftp> cd ../../../../ 250 CWD command successful. ftp> pwd Remote directory: /private/var/mobile ftp> cd / 250 CWD command successful. ftp> pwd Remote directory: / ftp> * You also get path disclosure. HTTP server listening on port 8080 allows arbitrary file writes to storage. You can create directories outside the upload path through the file upload web interface and the .. bug. Because the application is sandbox I was unable to overwrite application executables and components so the impact is limited. As stated above you can serve malicious content (javascript/html) via HTTP.
Exploit Code:
Screen Shots: [webint.gif]