Advisory Details Author: Paul Johnston Title: Directory traversal in Eye-Fi Helper < 3.4.23 Announcement date: 3 Jan 2012 Advisory Reference: ptl-2013-01 Products: Eye-Fi Helper < 3.4.23 Vulnerability Type: Directory Traversal Vendor-Status: Patch Released Remotely Exploitable: Yes (MITM) Locally Exploitable: Yes Vendor: Eye-Fi CVE: CVE-2011-4696 Overview An Eye-Fi card is a SD card with integrated WiFi, which can automatically transfer photos to a computer over a wireless network. The Eye-Fi Helper software runs on a Windows computer and receives the images. Pentest have identified a security vulnerabilitiy in this software that makes it possible for a hacker to take control of the Windows computer. The hacker does need access to the wireless network to exploit this, so the attack is relevant in a scenario like a cafe, where the network is shared. The protocol has additional protection when used with an open hotspot, which has not been investigated. Correct operation of the Eye-Fi card requires the user to allow the port through their firewall. However, the exploit only works by tampering with a legitimate connection; the software cannot be attacked when not in active use. Vulnerability Description When the card sends an image to the helper, it actually sends a tar file that contains the image, and some optional supplemental information, such as geolocation data. The card passes a "filesignature" to the helper, which saves the tar file in a location like: C:\Documents and Settings\<user>\Local Settings\Application Data\Eye-Fi\spool\delivery\<mac address>\<filesignature> However, the file signature is not checked for special characters, so it can be set to something like: ../../../../../../Start Menu/Programs/Startup/payload.exe Which will write it to: C:\Documents and Settings\<user>\Start Menu\Programs\Startup\payload.exe In this case, the next time the computer is started, the payload will be executed. To successfully exploit this relies on some other weaknesses in the protocol that the card and helper use to communicate. These weaknesses make it possible to perform a man-in-the-middle attack, and to tamper with the content of files. However, given the expected usage of the software, these weaknesses seem acceptable. Exploit We have produced a video demonstration of the exploit in action: https://www.youtube.com/watch?v=vnBQCt7-f6k The exploit script uses some interesting techniques, and is available on our web site: http://www.pentest.co.uk/documents/eyepwn.zip Solution Eye-Fi have released an update to Eye-Fi Helper (version 3.4.23), which includes the fix. The release notes mention security improvements, but do not explicitly state that the update fixes a security flaw. Beta version 3.4.18a also includes the fix - this information may be particularly useful to scanning vendors.