283 software vendors have fixed 921 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.
Patch Available Upon Disclosure
|2013 Q4: 67%||2013 Q1: 100%|
|2013 Q3: 77%||2012 Q4: 68%|
|2013 Q2: 92%||2012 Q3: 69%|
Vendor Average Time to Patch
|2013 Q4: 8 days||2013 Q1: 13 days|
|2013 Q3: 13 days||2012 Q4: 26 days|
|2013 Q2: 30 days||2012 Q3: 22 days|
Multiple Vulnerabilities in Smartphone Pentest Framework (SPF)
|Product:||Smartphone Pentest Framework (SPF)|
|Vendor:||Bulb Security LLC|
|Vulnerable Versions:||0.1.2 and probably prior|
|Advisory Publication:||October 24, 2012 [without technical details]|
|Vendor Notification:||October 24, 2012|
|Vendor Fix:||November 15, 2012|
|Public Disclosure:||November 14, 2012|
|Latest Update:||November 15, 2012|
|Vulnerability Type:||OS Command Injection [CWE-78]|
SQL Injection [CWE-89]
Cross-Site Request Forgery [CWE-352]
Information Exposure [CWE-200]
Incorrect Default Permissions [CWE-276]
|CVSSv2 Base Scores:||8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine. The research was inspired by the vulnerability found by Jon Passki
Even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for many pentesters) the vulnerabilities can still be easily exploited via the local/internal network, or even from remote via CSRF vector. In default installation of SPF the web server port and GUI application's path are easily predictable (localhost:80/frameworkgui/).
Multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the system() function. This could be exploited to inject and execute arbitrary OS commands on the target system with privileges of the web server.
Vulnerable scripts and parameters:
PoCs (Proof-of-Concept) below will send "/etc/passwd" file to the "user@host" email address:
<form action="http://[host]/remoteAttack.pl" method="post">
<form action="http://[host]/frameworkgui/CSAttack.pl" method="post">
<form action="http://[host]/frameworkgui/SEAttack.pl" method="post">
<form action="http://[host]/frameworkgui/attach2agents.pl" method="post">
<form action="http://[host]/frameworkgui/attachMobileModem.pl" method="post">
<form action="http://[host]/frameworkgui/guessPassword.pl" method="post">
All of the above-mentioned vulnerabilities can be exploited via CSRF vector. The PoC below sends "/etc/passwd" file to the "user@host" email address as soon as victim [that has open SPF GUI in one tab of a browser] visits a malicious web page with CSRF exploit:
<form action="http://localhost/frameworkgui/guessPassword.pl" method="post" name=f1>
Multiple Perl scripts in the "/frameworkgui/" directory are vulnerable to SQL injections. A remote attacker can execute arbitrary SQL commands in application's database.
Vulnerable scripts and parameters:
The following PoC is available:
<form action="http://[host]/frameworkgui/attach2Agents.pl" method="post">
All the above-mentioned SQL injections can also be exploited via CSRF vector:
The vulnerability exists due to insufficient verification of the HTTP requests origin in all Perl scripts within the "/frameworkgui/" directory. A remote attacker without direct access to application's web interface can perform cross-site request forgery attacks and execute arbitrary actions available to application's users only (e.g. send SMS messages).
However, in our case the most practical usage of the CSRF vulnerabilities is to exploit OS command injection and SQL injection vulnerabilities described in sections 1) and 2) of this advisory.
A Social Engineering attack scenario may be quite simple:
The weakness exists due to insufficient ACL to the "config" file located in "/frameworkgui/" directory. A remote attacker can access the configuration file directly and obtain sensitive information, such as database password that is stored in plaintext.
The weakness exists because of "btinstall" installation script that sets world-writable permissions for all files within the "/frameworkgui/" directory:
cd /var/www/frameworkgui; chmod 777 * ;
A local unprivileged user can read and modify arbitrary files located within this directory.
|Vendor reply (October 24, 2012):|
"I'm taking the GUI out of the project entirely for the time being so that will be the short term patch. DARPA wanted there to be a gui but obviously having a webbased gui was a terrible idea. Feel free to release whatever you want about it, everybody else does."
Vendor reply (November 8, 2012):
"The product in question doesnt even exist anymore. So I don't know what you want me to say about it being patched. It was just a proof of concept. Not a product at all. And since clearly it wasnt good enough for primetime I removed it from github. Say whatever you want about it."
Vendor solution (November 15, 2012):
According to the vendor all the vulnerabilities are patched in version 0.1.3: https://github.com/georgiaw/Smartphone-Pentest-Framework
| High-Tech Bridge Advisory HTB23123 - https://www.htbridge.com/advisory/HTB23123 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).|
 Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.