Affix btsrv Crafted Filename Arbitrary Shell Command Injection

2005-07-12T10:29:55
ID OSVDB:17853
Type osvdb
Reporter Kevin Finisterre(kf@digitalmunition.com)
Modified 2005-07-12T10:29:55

Description

Vulnerability Description

Affix contains a flaw that may allow a malicious user to execute arbitrary commands with the rights of the btsrv server. The issue is triggered when the ftp put command is used with malicious parameters. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

Technical Description

Since there is no input validation in btobex_put function, it is possible to inject arbitrary commands.

vulnerable code snippet from obex/btobex.c :

char cmd[PATH_MAX]; sprintf(cmd, "/bin/mv \"%s\" \"%s\"", file, name); fd = system(cmd); if (fd) { BTERROR("failed: system(\"%s\") = %d\n", cmd, fd); }


Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Carlos Chinea has released a patch to address this vulnerability.

Short Description

Affix contains a flaw that may allow a malicious user to execute arbitrary commands with the rights of the btsrv server. The issue is triggered when the ftp put command is used with malicious parameters. It is possible that the flaw may allow remote code execution resulting in a loss of integrity.

References:

Vendor URL: http://affix.sourceforge.net/ Vendor URL: http://www-nrc.nokia.com/affix/ Secunia Advisory ID:15988 Secunia Advisory ID:16122 Secunia Advisory ID:16413 Related OSVDB ID: 17852 Other Advisory URL: http://www.debian.org/security/2005/dsa-773 Other Advisory URL: http://www.digitalmunition.com/DMA[2005-0712b].txt Other Advisory URL: http://www.debian.org/security/2005/dsa-762 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0221.html Keyword: bluetooth Keyword: nokia CVE-2005-2277