exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Bashi 1.6 Script Insertion

Bashi 1.6 Script Insertion
Posted May 25, 2015
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

Bashi version 1.6 suffers from a malicious script insertion vulnerability.

tags | exploit
SHA-256 | 712e2b7af451c8707b300f6092dfeea924aaf32185aec96947ad335dc5840e19

Bashi 1.6 Script Insertion

Change Mirror Download
Document Title:
===============
Bashi v1.6 iOS - Persistent Mail Encoding Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1852


Release Date:
=============
2016-05-25


Vulnerability Laboratory ID (VL-ID):
====================================
1852


Common Vulnerability Scoring System:
====================================
3.4


Product & Service Introduction:
===============================
This is an ios bash4.3 app,you can learn,run,share bash 4.3 script. Code templates,the contents of the new file is copy from
contents of the template file. In(the built-in browser or the txt editor),Select the text to run.


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side mail encoding web vulnerability in the official Bashi v1.6 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2016-05-25: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
XiaoWen Huang
Product: Bashi - iOS Mobile Application 1.6


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Bashi v1.6 iOS mobile application.
The security web vulnerability allows to inject malicious script codes on the application-side of the vulnerable iOS mobile app.

The vulnerability is located in the encode mechanism of the `code console` input field. Local attackers with restricted or local low
privileged application user accounts are able to inject own malicious script codes to the code console input. Thus code can be send by
the share function to the author or random emails. The execution of the malicious script code occurs in the mail body message context
on sharing by email. The injection point of the vulnerability is the code console compiler input field. The attack vector of the issue
is persistent on the application-side and the request method to inject is a basic device sync.

The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the persistent web vulnerability requires a low privileged ios device account with restricted access and low user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Vulnerable Module(s)
[+] Code Console

Vulnerable Input(s):
[+] Code Template

Vulnerable Parameter(s)
[+] code

Affected Module(s)
[+] Mail Message Body (Share Function)


Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by remote attackers with low privileged iOS device user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the vulnerable iOS app to your apple device
2. Start the app
3. Click the code module to open the compiler
4. Inject a script code payload to the "$Person" variable in the code-line input field
5. Now, click above the share button and choose send by email
Note: The payload is getting saved to the mail body message context
6. The execution occurs directly in the mail body of the email context were the code becomes via echo visible
7. Successful reproduce of the vulnerability!


PoC: Code Template - Share
<p>#Note:The&nbsp;template&nbsp;file&nbsp;will&nbsp;be&nbsp;copied&nbsp;to&nbsp;a&nbsp;new&nbsp;file.&nbsp;When&nbsp;you&nbsp;
change&nbsp;the&nbsp;code&nbsp;of&nbsp;the&nbsp;template&nbsp;file&nbsp;you&nbsp;can&nbsp;create&nbsp;new&nbsp;file&nbsp;with&
nbsp;this&nbsp;base&nbsp;code.&nbsp;<br>echo&nbsp;<iframe>What&nbsp;is&nbsp;your&nbsp;name?';<br>read&
nbsp;PERSON&nbsp;<br>echo&nbsp;"Hello&nbsp;$PERSON";</p><br><br> *My favorite app:<
A target="_blank" href="<a href="https://itunes.apple.com/app/id936560010?mt=8">
https://itunes.apple.com/app/id936560010</a>">bashi</A></iframe></p>


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable `code compiler` input field.
Restrict the input field and disallow usage of special chars.
Encode the mail message body context that is getting transfered by the code module input to the email body context.


Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the iOS app is estimated as medium. (CVSS 3.4)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™




--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close