Unrestricted file upload lead to upload malicious files in IOS App (CVE-2023–42335)

Good day everyone! I hope all of you are doing well.

During one of the penetration testing assessments, we encountered an iOS app that included both fl3xx Crew and fl3xx Dispatch. We identified multiple file upload functionalities that could potentially allow users to transfer files from their computers to the server. The following steps will demonstrate how an authenticated user can discover unrestricted file upload vulnerabilities, which can lead to additional security risks.For your reference the links for the other CVEs blogs:

Insecure direct object reference IDOR CVE-2023–42334

An IDOR lead to viewing other user’s files CVE-2023–42334.

Today I will be demonstrating CVE-2023–42335.

Vulnerability Details

Vulnerable Software: Fl3xx Dispatch & Fl3xx Crew

Vulnerability: Unrestricted File Upload

Affected Version: 2.10.37

Vendor Homepage: https://www.fl3xx.com/product/fl3xx

CVE: CVE-2023–42335

What unrestricted file upload is and how to spot it?

A file upload vulnerability also called unrestricted file upload or arbitrary file upload is a potential security risk that allows an attacker to upload malicious files to a web server.
It occurs when an application does not properly validate the file type or its content or extensions. In this way, an attacker may be able to upload a file that could compromise the security of the server.
Frequently the uploaded file is a backdoor that some Kali Linux tools like msfvenom can easily generate once the attacker knows the server’s technology.

How can I prevent file upload vulnerabilities?

There are several steps that can be taken to prevent file upload vulnerabilities:

· Restrict the file types allowed to be uploaded, check the file extension, and only allow certain files to be uploaded.

· Use a whitelist approach instead of a blacklist.

· Change the permissions on the upload folder to ensure that the files within it are not executable.

· If possible, rename the uploaded files.

· Check the content and metadata of the file two times when it is uploaded “client-side” and when it is received by the server “server-side”.

Fl3xx Crew system:

Crew system, crew assignment, qualifications, and much more, all synced with your calendars via the web or crew app.

Fl3xx dispatch system:

Manage your airport slots, assigned crew, passenger preferences, and much more in a single instant.

Required Components:

Burp Suite: HTTP proxy tool for intercepting requests.

Steps to executions:

1-find file upload function on Duties -flight details — Add expense — upload attachment files.

2-Try to upload different files with different extensions and content to see if they will be uploaded.

3-After we uploaded different files we saw that we could upload files with different extensions such as HTML php….

3-We upload an HTML file containing an HTML injection payload that contains a URL that leads to our private website.

Follow the steps in the screenshot below:

In the below screenshot, we modify the HTML file

Duties -flight details — Add expense — upload attachment files

So we may now upload a file containing a URL to trick a user into clicking on the URL and it will forward him to the attacker's website.

Here we are able to upload HTML files containing HTML script without any rejection.

In the below screenshot after we uploaded the HTML file and accessed it, we saw the html injection payload and if we clicked on it, it would forward us to our private website.

After we accessed the HTML file that we uploaded, we successfully wrote an HTML script that forwards the user to any website attacker who wants it.

In the below screenshot, we upload a file containing PHP code.

Upload php file contains php code.

Here we see that the file has been uploaded with php extentions.

CVE - CVE-2023-42335

· Acknowledgment:

Thanks to: Yara Alhumaidan and May al-muraished for their support. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.