An arbitrary file upload vulnerability has been discovered in an iOS app that allows an attacker to deliver a malicious package during a file transfer operation.
The app is Photos in Wi-Fi v1.0.1, and the vulnerability, discovered by the Vulnerability Laboratory Research Team, allows remote attackers to upload a malicious file to the iOS device which could compromise the security of the iOS wifi app and allowing the attacker to take control.
The vulnerability is triggered when the user tries to upload a file from their ‘Camera Roll' to the app. Remote attackers are able to intercept the name of the file and use a live session to change the `filename` value to a web based SSH connection and upload a malicious arbitrary file.
Once the SSH connection is active, the uploaded file is then used by the attacker to request an `asset.php` file to execute the stored malicious file which allows the attacker to gain access into the iOS app.
Benjamin Kunz Mejri at Vulnerability Lab who discovered the bug, commented in an email to SCMagazineUK.com that they have logged over “400 zero-day bugs in apps” and have had “several discussions with Apple” regarding protecting the App Store.
Exploitation of remote web vulnerabilities requires no user interaction and no privileged web application user account which makes this a relatively easy attack to execute, according to Mejri.
Successful exploitation of the arbitrary file upload vulnerability results in web-server, web module, website and/or dbms compromise.