Mobile Atlas Creator 1.9.12 persistent Command Injection

Title: ===== Mobile Atlas Creator 1.9.12-Persistent Command Injection Vulnerability Date: ==== 2013-06-11 Common Vulnerability Scoring System: =============================================================== 3.5 Overview: ============= Mobile Atlas Creator (formerly known as TrekBuddy Atlas Creator) is an open source (GPL) program which creates offline atlases for GPS handhelds and cell phone applications like TrekBuddy, AndNav and other Android and WindowsCE based applications. for the full list of supported applications please see the features section. additionally individual maps can be exported as one large PNG image with calibration MAP file for OziExplorer. as source for an offline atlas Mobile Atlas Creator can use a large number of different online maps such as OpenStreetMap and other online map providers. http://mobac.sourceforge.net/  http://mobac.sourceforge.net/ MOBAC/CHANGELOG.txt Abstract: ========= The Vulnerability Laboratory Security Team discovered a persistent vulnerability & local command path inject bug in the Mobile Atlas Creator 1.9.12 (2116) software. affected products: ======================== MOBAC Product: Mobile Atlas Creator 1.9.12 Exploitation-Technique: ================================ Remote Severity: =========== Medium Abstract: ======== Due to the fact that proper user input sanatization is not being stored med, it is possible to inject user specified HTML code within the Atlas Mobile Creator Application. besides HTML Injection, Local Command Path Injecton is also Possible. other interesting behaviour events des that if you use <script> alert (1) </script> you will get an exception error and application will show you an error window. upon further investigation, I was also able to load files from my local system where the application is installed. the bug exists in the Name FIeld while creating a New Atlas Map. A Malicious Attacker can save the script code as an Atlas Map file and send it to unknown victims. this surely makes this bug very interesting. please also note, I was able to cause multiple types of exception errors while trying different payloads which means there is a possibility of multiple attack vectors through the same vulnerable name field. vulnerable Module (s) [+] Create New Map Vulnerable Field (s) [+] Name test proof: ================== The vulnerability can be exploited by local attackers with low privilege system user account and low user interaction. for demonstration or reproduce... manually steps to reproduce... 1) Install and open atlas software 2) In the menu, goto Atlas-> New Atlas 3) Use the following payload as the Atlas name> "<iframe src = http://www.vulnerability-lab.com 4) Click OK to save the input with the non-malicious test frame 5) Right click on the Atlas Content and click the Show Details menu button 6) the script code with the test frame will be executed in the main software when processing to load the show details function of the main listing module. note: If you use <script> alert (1) </script> you will get an exception error and application will show you an error window. redisplay solution: ========== Proper user input sanatization shocould be stored med and all special/illegal characters shoshould be filtered out to prevent any such/similar attacks. risk: ==== The security risk of the persistent input validation vulnerabilities and local command path inject vulnerabilities are estimated as medium (+) | (-) high. credits: ======== Vulnerability Laboratory [Research Team]-Ateeq Khan (khan@vulnerability-lab.com) -- vulnerability laboratory research team domain: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com