iPassword Manager v2.6 iOS – Persistent Vulnerabilities | ZeroBox Vulnerability Database

iPassword Manager v2.6 iOS – Persistent Vulnerabilities

Document Title:
===============
iPassword Manager v2.6 iOS – Persistent Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1453

Release Date:
=============
2015-04-21

Vulnerability Laboratory ID (VL-ID):
====================================
1455

Common Vulnerability Scoring System:
====================================
3.7

Product & Service Introduction:
===============================
iPassword can securely store your important information and can automatically log you into websites with a single tap.
There`s no need to remember the usernames, passwords, or even the website addresses. Join to iPassword today. Your digital
life will be in comfort and safe with it.

(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/password-manager-free-secure/id547904729 )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official iPassword Free Manager v2.6 iOS web-application.

Vulnerability Disclosure Timeline:
==================================
2015-04-21: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Free Secure App Manager
Product: iPassword Free Manager – iOS Mobile Web Application 2.6

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
Multiple application-side input validation web vulnerabilities has been discovered in the official iPassword v2.6 iOS web-application.
The vulnerability allows local and remote attackers to inject own script code to the application-side of the affected mobile web-application.

The security vulnerability is located in the `password` and `name` values of the send by email function. The service does not encode the input of the password
or the stored entries. Users are able to send the stored data by mail. The encoding of the send by mail function is broken and allows execution of
malicious script codes. The attackers saved a database entry with malicious code or exchanges an entry by mail. In the moment he converts the stored
string of the input, the filter mechanism encodes wring and executes the code. In the second instance the code executes on arrival of the send app mail.
The issue is located in the send password by email function and in the main send by mail function. The attack vector is located on the application-side
and the request method to inject is db sharing (send email) or by local interaction.

The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the persistent web vulnerability requires a privileged ipassword application user account and low user interaction. Successful exploitation
of the persistent web vulnerability results in mobile application compromise or connected device component compromise.

Request Method(s):
[+] [Sync]

Vulnerable Module(s):
[+] iPassword – Password Input
[+] Wallet Entries Input (Name)

Vulnerable Parameter(s):
[+] password
[+] name

Affected Module(s):
[+] Local Mail Service App
[+] Remote Mail (Outgoing)

Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability …
1. Install the iPassword Manager app (https://itunes.apple.com/us/app/password-manager-free-secure/id547904729)
2. Start the software
Note: Now the software asks a first time for a password
3. Inject your payload twice to the password input and press ok
Note: Now the software asks to send your password by mail
4. Click ok to send the data by mail
5. Now the first script code execution occurs in the mail body context
6. We continue and surf back in the app to add a new contact
7. Include to the contact name own script code and save the input
8. Click the send by mail button.
9. Review the arrived mail in the inbox
10. The script code execution occurs in the main body context of the mail
11. Successful reproduce of both vulnerabilities!

PoC: Contact > Send Mail



Send by Mail Function

Betreff: Data41
Von: VLab
Datum: 21.04.2015 12:49
An: bkm@evolution-sec.com

">