Pentest Security Advisory : PTL-2013-01
Directory traversal in Eye-Fi Helper < 3.4.23

Advisory Details

Author:Paul Johnston
Title:Directory traversal in Eye-Fi Helper < 3.4.23
Announcement date:3 Jan 2012
Advisory Reference:ptl-2013-01
Products:Eye-Fi Helper < 3.4.23
Vulnerability Type:Directory Traversal
Vendor-Status:Patch Released
Remotely Exploitable:Yes (MITM)
Locally Exploitable:Yes
Vendor:Eye-Fi
CVE:CVE-2011-4696

Overview

An Eye-Fi card is a SD card with integrated WiFi, which can automatically transfer photos to a computer over a wireless network. The Eye-Fi Helper software runs on a Windows computer and receives the images. Pentest have identified a security vulnerabilitiy in this software that makes it possible for a hacker to take control of the Windows computer.

The hacker does need access to the wireless network to exploit this, so the attack is relevant in a scenario like a cafe, where the network is shared. The protocol has additional protection when used with an open hotspot, which has not been investigated. Correct operation of the Eye-Fi card requires the user to allow the port through their firewall. However, the exploit only works by tampering with a legitimate connection; the software cannot be attacked when not in active use.

Vulnerability Description

When the card sends an image to the helper, it actually sends a tar file that contains the image, and some optional supplemental information, such as geolocation data. The card passes a "filesignature" to the helper, which saves the tar file in a location like:

C:\Documents and Settings\<user>\Local Settings\Application Data\Eye-Fi\spool\delivery\<mac address>\<filesignature>

However, the file signature is not checked for special characters, so it can be set to something like:

../../../../../../Start Menu/Programs/Startup/payload.exe

Which will write it to:

C:\Documents and Settings\<user>\Start Menu\Programs\Startup\payload.exe

In this case, the next time the computer is started, the payload will be executed.

To successfully exploit this relies on some other weaknesses in the protocol that the card and helper use to communicate. These weaknesses make it possible to perform a man-in-the-middle attack, and to tamper with the content of files. However, given the expected usage of the software, these weaknesses seem acceptable.

Exploit

We have produced a video demonstration of the exploit in action: https://www.youtube.com/watch?v=vnBQCt7-f6k

The exploit script uses some interesting techniques, and is available on our web site: http://www.pentest.co.uk/documents/eyepwn.zip

Solution

Eye-Fi have released an update to Eye-Fi Helper (version 3.4.23), which includes the fix. The release notes mention security improvements, but do not explicitly state that the update fixes a security flaw.

Beta version 3.4.18a also includes the fix - this information may be particularly useful to scanning vendors.

PTL-2006-02arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2016 All Rights Reserved. Privacy statement