Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Super Backup 2.0.5 for iOS - Directory Traversal



Recommended Posts

# Title: Super Backup 2.0.5 for iOS - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-30
# Software: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
# CVE: N/A

Document Title:
Super Backup v2.0.5 iOS - Directory Traversal Vulnerability

References (Source):

Common Vulnerability Scoring System:

Product & Service Introduction:
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.

(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )

Affected Product(s):
Dropouts Technologies LLP
Product: Super Backup v2.0.5

Vulnerability Disclosure Timeline:
2020-04-30: Public Disclosure (Vulnerability Laboratory)

Technical Details & Description:
A directory traversal web vulnerability has been discovered in the
official Super Backup v2.0.5 ios mobile web-application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.

The directory-traversal web vulnerability in the app is located in the
`list` and `download` module with the `path` parameter.
Attackers are able to change the path variable to request the local list
command. By changing the path parameter the validation
mechanism runs into a logic error that turns back the possibility to
request different pathes outside the basic import/export
folder. Thus way the attacker injects for example local path environment
varibales to compromise the local ios web-application.

Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.

Proof of Concept (PoC):
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.

PoC: Payloads

PoC: Exploitation

--- PoC Session Logs [GET]] ---
Host: localhost
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
GET: HTTP/1.1 200 OK
Content-Length: 174
Content-Type: application/json
Connection: Close
Host: localhost
Connection: keep-alive
GET: HTTP/1.1 200 OK
Content-Length: 174
Content-Type: application/json
Connection: Close
Opening the url allows to download the list file json with content path
[{"path":"../../../../../../../../../../../../ "size":21961}]


Credits & Authors:
Vulnerability-Lab -

Link to post
Link to comment
Share on other sites


discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    • Create New...