Pentest Security Advisory : PTL-2013-01
Directory traversal in Eye-Fi Helper < 3.4.23
|Title:||Directory traversal in Eye-Fi Helper < 3.4.23|
|Announcement date:||3 Jan 2012|
|Products:||Eye-Fi Helper < 3.4.23|
|Vulnerability Type:||Directory Traversal|
|Remotely Exploitable:||Yes (MITM)|
An Eye-Fi card is a SD card with integrated WiFi, which can automatically transfer photos to a computer over a wireless network. The Eye-Fi Helper software runs on a Windows computer and receives the images. Pentest have identified a security vulnerabilitiy in this software that makes it possible for a hacker to take control of the Windows computer.
The hacker does need access to the wireless network to exploit this, so the attack is relevant in a scenario like a cafe, where the network is shared. The protocol has additional protection when used with an open hotspot, which has not been investigated. Correct operation of the Eye-Fi card requires the user to allow the port through their firewall. However, the exploit only works by tampering with a legitimate connection; the software cannot be attacked when not in active use.
When the card sends an image to the helper, it actually sends a tar file that contains the image, and some optional supplemental information, such as geolocation data. The card passes a "filesignature" to the helper, which saves the tar file in a location like:
C:\Documents and Settings\<user>\Local Settings\Application Data\Eye-Fi\spool\delivery\<mac address>\<filesignature>
However, the file signature is not checked for special characters, so it can be set to something like:
Which will write it to:
C:\Documents and Settings\<user>\Start Menu\Programs\Startup\payload.exe
In this case, the next time the computer is started, the payload will be executed.
To successfully exploit this relies on some other weaknesses in the protocol that the card and helper use to communicate. These weaknesses make it possible to perform a man-in-the-middle attack, and to tamper with the content of files. However, given the expected usage of the software, these weaknesses seem acceptable.
We have produced a video demonstration of the exploit in action: https://www.youtube.com/watch?v=vnBQCt7-f6k
The exploit script uses some interesting techniques, and is available on our web site: http://www.pentest.co.uk/documents/eyepwn.zip
Eye-Fi have released an update to Eye-Fi Helper (version 3.4.23), which includes the fix. The release notes mention security improvements, but do not explicitly state that the update fixes a security flaw.
Beta version 3.4.18a also includes the fix - this information may be particularly useful to scanning vendors.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.