Moin,
(I'm using a Gentoo Linux box with kernel 2.6.12.1, hcid 2.18 and
kbluepin from kbluetoothd 0.99-beta1; although the problem seems
to still exist in current CVS hcid and should be independent of
the pin helper used.)
I just stumbled upon a bug in hcid that can possibly be used as a
security vulnerability: In hcid/security.c (around line 335 in current
CVS) the device name from the remote device is copied straight into the
command line that is used to call the pin helper, only surrounded by a
pair of single quotes with _no_ _escaping_ done:
| read_device_name(sba, &ci->bdaddr, name);
| //hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
|
| ba2str(&ci->bdaddr, addr);
| snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
| ci->out ? "out" : "in", addr, name);
At the very least this leads to failures when the remote device uses
single quotes in its name. E.g. something like "Henryk's Phone" (without
the double quotes) will give
Aug 5 03:41:03 gleam hcid[24398]: PIN helper exited abnormally with code 512
in the syslog and
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
at stderr when running hcid -n (this is how I originally found the
problem).
However, something more creative like "';touch '/tmp/foo23" (again
without the double quotes) will actually execute a program on the
attacked box (and create a file /tmp/foo23 in this case). For
reference: in strace this looks like this:
execve("/bin/sh", ["sh", "-c", "/usr/lib/kdebluetooth/kbluepin out 00:0E:ED:00:23:42 \'\';touch \'/tmp/foo23\'"], [/* 62 vars */]) = 0
(note that the conversion from ' to \' was done by strace)
Using this vulnerability one can also create pairings without approval
of the user: Setting the bluetooth device name to something like
"'>/dev/null&echo 'PIN:42" (without the double quotes) and then trying
to create a pairing with a bluez box will override the decision of the
pin helper and always set 42 as the PIN.
PS: Thanks to roh and Sascha from the CCC Berlin.
--
Henryk Pl?tz
Gr??e aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
Hi Steven,
> >> I just stumbled upon a bug in hcid that can possibly be used as a
> >> security vulnerability: ...
> > thanks for catching this problem. Do you have a fix for it?
>
> On behalf of everyone at Unplugfest with whom you've been doing security
> testing, I'd just like to say, using my best impression of Nelson Muntz
> from The Simpsons, "Ha Ha!".
>
> :-)
what should I say? Sh* happens. I am still afraid of that day when I
have to hack into BlueZ. And this day will come ;)
Regards
Marcel
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Marcel Holtmann wrote:
> Henryk Pl?tz wrote:
>> I just stumbled upon a bug in hcid that can possibly be used as a
>> security vulnerability: ...
> thanks for catching this problem. Do you have a fix for it?
On behalf of everyone at Unplugfest with whom you've been doing security
testing, I'd just like to say, using my best impression of Nelson Muntz
from The Simpsons, "Ha Ha!".
:-)
- Steven
--
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Henryk,
> > thanks for catching this problem. Do you have a fix for it?
>
> Now I have, I think. Doing string escaping in C is really awkward, but
> this patch should prefix all occurences of ", \, $ or ` in the name with
> an \, and will also change the enclosing single quotes to double quotes
> (because no escaping is possible in single quotes). There would also be
> an alternative way to fix it: remove the popen() and instead do a
> pipe()/fork()/dup2()/execv() combination. That should be more clean, but
> likely more complicated.
the final patch looks a little bit different, but it is now fixed in the
CVS tree. Thanks.
Regards
Marcel
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Moin,
Am Fri, 05 Aug 2005 05:16:34 +0200 schrieb Marcel Holtmann:
> thanks for catching this problem. Do you have a fix for it?
Now I have, I think. Doing string escaping in C is really awkward, but
this patch should prefix all occurences of ", \, $ or ` in the name with
an \, and will also change the enclosing single quotes to double quotes
(because no escaping is possible in single quotes). There would also be
an alternative way to fix it: remove the popen() and instead do a
pipe()/fork()/dup2()/execv() combination. That should be more clean, but
likely more complicated.
--
Henryk Pl?tz
Gr??e aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
Hi Henryk,
> (I'm using a Gentoo Linux box with kernel 2.6.12.1, hcid 2.18 and
> kbluepin from kbluetoothd 0.99-beta1; although the problem seems
> to still exist in current CVS hcid and should be independent of
> the pin helper used.)
>
> I just stumbled upon a bug in hcid that can possibly be used as a
> security vulnerability: In hcid/security.c (around line 335 in current
> CVS) the device name from the remote device is copied straight into the
> command line that is used to call the pin helper, only surrounded by a
> pair of single quotes with _no_ _escaping_ done:
>
> | read_device_name(sba, &ci->bdaddr, name);
> | //hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
> |
> | ba2str(&ci->bdaddr, addr);
> | snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
> | ci->out ? "out" : "in", addr, name);
>
> At the very least this leads to failures when the remote device uses
> single quotes in its name. E.g. something like "Henryk's Phone" (without
> the double quotes) will give
>
> Aug 5 03:41:03 gleam hcid[24398]: PIN helper exited abnormally with code 512
>
> in the syslog and
>
> sh: -c: line 0: unexpected EOF while looking for matching `''
> sh: -c: line 1: syntax error: unexpected end of file
>
> at stderr when running hcid -n (this is how I originally found the
> problem).
>
> However, something more creative like "';touch '/tmp/foo23" (again
> without the double quotes) will actually execute a program on the
> attacked box (and create a file /tmp/foo23 in this case). For
> reference: in strace this looks like this:
>
> execve("/bin/sh", ["sh", "-c", "/usr/lib/kdebluetooth/kbluepin out 00:0E:ED:00:23:42 \'\';touch \'/tmp/foo23\'"], [/* 62 vars */]) = 0
>
> (note that the conversion from ' to \' was done by strace)
>
> Using this vulnerability one can also create pairings without approval
> of the user: Setting the bluetooth device name to something like
> "'>/dev/null&echo 'PIN:42" (without the double quotes) and then trying
> to create a pairing with a bluez box will override the decision of the
> pin helper and always set 42 as the PIN.
>
> PS: Thanks to roh and Sascha from the CCC Berlin.
thanks for catching this problem. Do you have a fix for it?
Regards
Marcel
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel