Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Web File Servers for iOS Bruno Gonçalves de Oliveira Senior Security Consultant – Trustwave’s SpiderLabs.

Published byMargaretMargaret Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "Hacking Web File Servers for iOS Bruno Gonçalves de Oliveira Senior Security Consultant – Trustwave’s SpiderLabs."— Presentation transcript:

1 Hacking Web File Servers for iOS Bruno Gonçalves de Oliveira Senior Security Consultant – Trustwave’s SpiderLabs

2 About Me #whoami Bruno Gonçalves de Oliveira Senior Security Consultant @ Trustwave’s SpiderLabs MSc Candidate Computer Engineer Offensive Security Talks: Silver Bullet, THOTCON, SOURCE Boston, Black Hat DC, SOURCE Barcelona, DEF CON, Hack In The Box Malaysia, Toorcon, YSTS e H2HC. Hosted by OWASP & the NYC Chapter

3 INTRO Smartphones –A LOT OF information –iPhone is VERY popular Mobile Applications –(MOST) Poorly designed Old fashion vulnerabilities Hosted by OWASP & the NYC Chapter

4 What are those apps? Designed to provide a storage system to iOS devices. Data can be transferred utilizing bluetooth, iTunes and FTP. Easiest way: HTTP protocol. They are very popular.

5 Examples

6 Features Manage/Storage files Create Albums, etc. Share Data

7 VULNERABILITIES

8 No encryption (SSL):

9 No authentication (by default):

10 (Reflected) XSS

11 (Persistent) XSS

12 http://www.vulnerability-lab.com/get_content.php?id=932

13 Vulnerability-Lab Advisories: http://www.vulnerability-lab.com/show.php?cat=mobile

14 Disclaimer Trustwave (me) did this research on March/13 and just now we are disclosing these advisories.

15 Path Traversal WiFi HD Free Path Traversal (CVE-2013-3923) FTPDrive Path Traversal (CVE-2013-3922) Easy File Manager Path Traversal (CVE-2013- 3921) You probably want to test the app that you use.

16 Path Traversal (DEMO)

17 Easy File Manager Unauthorized Access to File System (CVE- 2013-3960)

18

19 Getting worst with a jailbroken device.

20 Remote Command Execution: Unauthorized Access to File System (CVE-2013-3960) – Jailbroken Device

21 iOS 7 Security Improvement

22 How to find vulnerable systems <= mDNS Watch for iOS mDNS Queries

23 Conclusions Mobile Apps (already) are the future. Mobile Apps designers still don’t care too much about security. Too many apps, we have to take care. Old fashion vulnerabilities still rock.

Download ppt "Hacking Web File Servers for iOS Bruno Gonçalves de Oliveira Senior Security Consultant – Trustwave’s SpiderLabs."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Mobile Application Development Keshav Bahadoor. Part 1 Cross Platform Web Applications.

Mobile Application Development Keshav Bahadoor. Part 1 Cross Platform Web Applications.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
KoolSpan Comparison to CellCrypt

KoolSpan Comparison to CellCrypt
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Research of difference OS for authentication and encryption Group member:Li Man Yiu Tsun Yu Hin Wong Nok Wai.

Research of difference OS for authentication and encryption Group member:Li Man Yiu Tsun Yu Hin Wong Nok Wai.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
LogMeIn.com By: Casey Davidson. What is it? Free Web-based VNC Client Remotely control any PC or Mac from anywhere in the world No network configuring.

LogMeIn.com By: Casey Davidson. What is it? Free Web-based VNC Client Remotely control any PC or Mac from anywhere in the world No network configuring.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Front end GUI for PsExec, A fast and easy remote deployment utility.

Front end GUI for PsExec, A fast and easy remote deployment utility.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Your storage on the ground; Your files in the cloud.

Your storage on the ground; Your files in the cloud.
0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.

0 Kluge Burch Zimmerling GRC Advisors Commodity Services Specification Penetration Testing & Application Security Assessment January 2015.
 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.

 Security and Smartphones By Parker Moore. The Smartphone Takeover  Half of mobile phone subscribers in the United States have a smartphone.  An estimated.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Overview: Identify the Internet protocols and standards Identify common vulnerabilities and countermeasures Identify specific IIS/WWW/FTP concerns Identify.

Overview: Identify the Internet protocols and standards Identify common vulnerabilities and countermeasures Identify specific IIS/WWW/FTP concerns Identify.
Making the Internet a Better Place for Business NIST PKI Steering Committee March 14, 2002.

Making the Internet a Better Place for Business NIST PKI Steering Committee March 14, 2002.

Similar presentations

Ads by Google