vuln.sg Vulnerability Research Advisory

PDF Reader - iPad Edition HTTP Directory Traversal Vulnerability by Tan Chew Keong Release Date: 2013-07-01    [en] [jp] Summary A vulnerability has been found within the Wi-Fi File Transfer functionality of PDF Reader - iPad Edition. When exploited, this vulnerability allows an attacker to download private files that the user do not have any intentions to share. For example, files that are within the Private folder of PDF Reader - iPad Edition. Tested Versions PDF Reader - iPad Edition Version 2.2 PDF Reader Lite Version 2.0.1 Other versions may also be affected. Details This advisory discloses a vulnerability within the Wi-Fi File Transfer functionality of PDF Reader - iPad Edition. When exploited, this vulnerability allows an attacker to download private files that the user do not have any intention to share. For example, files that are within the Private folder of PDF Reader - iPad Edition. Note that an attacker can also exploit this vulnerability to upload and/or overwrite files in the user's Private folder without the user's knowledge. The Wi-Fi File Transfer functionality does not properly sanitise HTTP requests containing directory traversal sequences ../ that are received from a browser. This allows a malicious attacker to have access to arbitrary directories on the user's iPAD device, with permissions of the application. Additionally, the Wi-Fi File Transfer functionality does not properly sanitise HTML special characters when displaying the directory listing back to the user's web server. This XSS vulnerability allows an attacker who can upload files to PDF Reader - iPad Edition to execute arbitrary JavaScript code in the user's browser context when the user views the directory listing of the directory that contains the uploaded file. POC / Test Code The instructions below illustrates how this vulnerability can be reproduced using PDF Reader - iPad Edition. Copy a file into PDF Reader - iPAD Edition's Private folder. In this example, the file My Secret.pdf is stored in the Private folder.      Activate Wi-Fi File Transfer and access the URL with a browser. Notice that the Private folder is not normally accessible via the brower. Using the repeater tool of the free version of the Burp Suite, send the following HTTP request to the Wi-Fi File Transfer service to confirm that the directory listing of /etc/ is returned via directory traversal. GET /../../../../../../../etc/hosts HTTP/1.1 Host: localhost<enter once here> <enter once here> An attacker can send the following HTTP request to the Wi-Fi File Transfer service to obtain the directory listing of PDF Reader - iPad Edition's Library directory. From the directory listing, the attacker can find out the directory name of the Private folder as highlighted in the screenshot below. GET /../Library HTTP/1.1 Host: localhost<enter once here> <enter once here> The attacker can then perform further directory traversal attacks to list and download files from the user's Private folder in PDF Reader - iPad Edition as shown in the screenshot below. The attacker can also exploit the directory traversal vulnerability to upload and overwrite files in the user's Private folder using specially-crafted HTTP file POST requests like the following. Note that in the POST request, the name of the upload file has been changed to /../Library/Private-6A5A826C-DA1B-4523-86F4-8E400310DBEF/hacked.txt The attacker can upload files with JavaScript in their filenames to cause JavaScript to be executed within the user's browser context when the directory listing is viewed. For example, the HTTP POST request below can be used to upload a file with JavaScript in its filename. POST / HTTP/1.1 Host: localhost Content-Type: multipart/form-data; boundary=---------------------------58193171731140 Content-Length: 338 -----------------------------58193171731140 Content-Disposition: form-data; name="<img src='sss' onerror=javascript:alert('XSS')>" Content-Type: text/plain HACKED -----------------------------58193171731140 Content-Disposition: form-data; name="button" Submit -----------------------------58193171731140-- The uploaded file with JavaScript in its filename is shown below. When the directory listing containing the file is viewed in the browser by the user, the JavaScript executes.   Patch / Workaround Update to the following versions that fix the directory traversal download vulnerability: PDF Reader - iPad Edition Version 2.2.1 PDF Reader - iPhone Edition Version 2.0.3 To mitigate against the two reminding vulnerabilities: Do not allow untrusted persons to access your Wi-Fi File Transfer. Enable Wi-Fi File Transfer only when connected to trusted Wi-Fi networks. Enable strong password protection for Wi-Fi File Transfer. Disclosure Timeline 2013-06-01 - Vulnerability Discovered. 2013-06-01 - Initial Vendor Notification. 2013-06-04 - Vulnerability Details Sent to Vendor. 2013-06-06 - Asked vendor when a fixed version will be released. 2013-06-07 - Vendor replied that they are currently working on possible solutions. 2013-06-13 - Asked vendor when a fixed version will be released. 2013-06-14 - Vendor replied and requested to verify whether the vulnerability is correctly fixed. 2013-06-18 - Received updated files from vendor for verification test. 2013-06-18 - Tested the updated files and informed vendor that the fix is not complete. 2013-06-18 - Provided more information on how to fix the XSS issue to the vendor and updated webpage to include more information. 2013-07-01 - Noticed that vendor released updated versions on Apple Store. 2013-07-01 - Tested updated versions and noticed that download directory traversal download vulnerability was fixed. 2013-07-01 - Public Release.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to