Bashi v1.6 iOS - Persistent Mail Encoding Vulnerability
References (Source):
====================
http://ift.tt/1WSlKgZ
Release Date:
=============
2016-05-25
Vulnerability Laboratory ID (VL-ID):
====================================
1852
Common Vulnerability Scoring System:
====================================
3.4
Product & Service Introduction:
===============================
This is an ios bash4.3 app,you can learn,run,share bash 4.3 script. Code templates,the contents of the new file is copy from
contents of the template file. In(the built-in browser or the txt editor),Select the text to run.
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side mail encoding web vulnerability in the official Bashi v1.6 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2016-05-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
XiaoWen Huang
Product: Bashi - iOS Mobile Application 1.6
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Bashi v1.6 iOS mobile application.
The security web vulnerability allows to inject malicious script codes on the application-side of the vulnerable iOS mobile app.
The vulnerability is located in the encode mechanism of the `code console` input field. Local attackers with restricted or local low
privileged application user accounts are able to inject own malicious script codes to the code console input. Thus code can be send by
the share function to the author or random emails. The execution of the malicious script code occurs in the mail body message context
on sharing by email. The injection point of the vulnerability is the code console compiler input field. The attack vector of the issue
is persistent on the application-side and the request method to inject is a basic device sync.
The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the persistent web vulnerability requires a low privileged ios device account with restricted access and low user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Vulnerable Module(s)
[+] Code Console
Vulnerable Input(s):
[+] Code Template
Vulnerable Parameter(s)
[+] code
Affected Module(s)
[+] Mail Message Body (Share Function)
Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by remote attackers with low privileged iOS device user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the vulnerable iOS app to your apple device
2. Start the app
3. Click the code module to open the compiler
4. Inject a script code payload to the "$Person" variable in the code-line input field
5. Now, click above the share button and choose send by email
Note: The payload is getting saved to the mail body message context
6. The execution occurs directly in the mail body of the email context were the code becomes via echo visible
Document Title:
===============
Bashi v1.6 iOS - Persistent Mail Encoding Vulnerability
References (Source):
====================
http://ift.tt/1WSlKgZ
Release Date:
=============
2016-05-25
Vulnerability Laboratory ID (VL-ID):
====================================
1852
Common Vulnerability Scoring System:
====================================
3.4
Product & Service Introduction:
===============================
This is an ios bash4.3 app,you can learn,run,share bash 4.3 script. Code templates,the contents of the new file is copy from
contents of the template file. In(the built-in browser or the txt editor),Select the text to run.
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side mail encoding web vulnerability in the official Bashi v1.6 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2016-05-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
XiaoWen Huang
Product: Bashi - iOS Mobile Application 1.6
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Bashi v1.6 iOS mobile application.
The security web vulnerability allows to inject malicious script codes on the application-side of the vulnerable iOS mobile app.
The vulnerability is located in the encode mechanism of the `code console` input field. Local attackers with restricted or local low
privileged application user accounts are able to inject own malicious script codes to the code console input. Thus code can be send by
the share function to the author or random emails. The execution of the malicious script code occurs in the mail body message context
on sharing by email. The injection point of the vulnerability is the code console compiler input field. The attack vector of the issue
is persistent on the application-side and the request method to inject is a basic device sync.
The security risk of the application-side vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the persistent web vulnerability requires a low privileged ios device account with restricted access and low user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Vulnerable Module(s)
[+] Code Console
Vulnerable Input(s):
[+] Code Template
Vulnerable Parameter(s)
[+] code
Affected Module(s)
[+] Mail Message Body (Share Function)
Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by remote attackers with low privileged iOS device user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the vulnerable iOS app to your apple device
2. Start the app
3. Click the code module to open the compiler
4. Inject a script code payload to the "$Person" variable in the code-line input field
5. Now, click above the share button and choose send by email
Note: The payload is getting saved to the mail body message context
6. The execution occurs directly in the mail body of the email context were the code becomes via echo visible
7. Successful reproduce of the vulnerability!
PoC: Code Template - Share
#Note:The template file will be copied
to a new file. When you
change the code of the template file
you can create new file with&
nbsp;this base code.
echo