Hacking Web Server Apps for iOS

Presented at AppSec USA 2013, Nov. 21, 2013, 1 p.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=1oCRagEk31A&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=21 Since the iPhone has been released, people have been trying to figure out different ways to turn it  into a common data storage device. Many applications have been released in the iTunes Store in order to add this capability, some using USB transport (via iTunes), others Bluetooth. However, another way found by most of these software vendors is to share the disk space in the cellphone using not only using WiFi capabilities but also the data cellphone connections (GSM/CDMA). All of this by implementing a simple web server with file upload feature. Web file servers are now very common applications available in the iTunes Store with both free and paid versions that satisfies the users need to "share" the phone as being a file storage unit using the (... yes) HTTP protocol. Most (if not all) of these applications are not so well-designed with usually poor features. Yet, these apps are still very popular amongst those users that have no intention in jailbreaking their reliable mobile devices but really want file sharing capabilities. As previously mentioned, these apps are mainly developed using just HTML (which also brings some limitations to our testing) with no encryption (SSL) and mostly no authentication (and those supporting it are turned off by default??). This research covers these applications described above, both free and paid versions, how they work and what problems they bring to non-jailbroken devices, on top of describing the flaws, there will be a live demo on how risky these apps are. Despite of not being the highlight of the talk, it will be also demonstrated how worse things can be in jailbroken devices, once the sandbox security feature is lost. This talk will present current unpatched vulnerabilities that have been found while researching these applications,  these range from  medium to critical risks, and it will be shown how we can exploit these vulnerabilities and compromise the phone's file system with practical attacks.   From a basic reflected XSS to an optimistic scenario: RCE, when the device is jailbroken and also has other app to support (web server with dynamic language for example), some of these exploitations will be presented to the public.   And, all of the issues previously discussed can be magnified since the service (web server) is automatically advertised (and/or responds) to mDNS queries, making the device running that APP an easy target for anyone in the same wireless connection and watching these packets or simply running an mDNS browser.

Presenters:

  • Bruno - Senior Security Consultant - Trustwave SpiderLabs
    Bruno Gonçalves de Oliveira is a MSc candidate, computer engineer and senior security consultant at Trustwave's SpiderLabs where his duties are mostly focused in offensive security, doing hundreds of penetration tests from common systems and environments to embedded and uncommon devices. Bruno loves german fast cars (a.k.a BMWs), good ol' Jack and also stout/ale beers. Previously spoken at THOTCON, SOURCE Boston, Black Hat DC, SOURCE Barcelona, DEFCON, Hack In The Box, ToorCon, You Sh0t the Sheriff and H2HC.

Links:

Similar Presentations: