Multiple Command Execution Vulnerabilities in Smartphone Pentest Framework (SPF)
|Product:||Smartphone Pentest Framework (SPF)|
|Vendor:||Bulb Security LLC|
|Vulnerable Versions:||0.1.3, 0.1.4 and probably prior|
|Tested Version:||0.1.3, 0.1.4|
|Advisory Publication:||November 19, 2012 [without technical details]|
|Vendor Notification:||November 19, 2012|
|Public Disclosure:||December 10, 2012|
|Latest Update:||December 11, 2012|
|Vulnerability Type:||OS Command Injection [CWE-78]|
|CVSSv2 Base Score:||8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester's machine remotely.
|On December 5, 2012 vendor replied that vulnerabilities are patched. However, on the Disclosure date version 0.1.4 was still found to be vulnerable.|
As a temporary solution remove or disable SPF's GUI.
| High-Tech Bridge Advisory HTB23127 - https://www.htbridge.com/advisory/HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).|
 Smartphone Pentest Framework (SPF) - http://www.bulbsecurity.com/smartphone-pentest-framework/ - Smartphone Pentest Framework is an open source security tool, designed to aid in assessing the security posture of smartphones in an environment.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.