HTC / Windows Mobile OBEX FTP Service Directory Traversal Vulnerability

Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal
Author: Alberto Moreno Tablado
Vendor: HTC
Vulnerable Products:
     · HTC devices running Windows Mobile 6
     · HTC devices running Windows Mobile 6.1
Non vulnerable products:
     · HTC devices running Windows Mobile 5.0
     · Other vendors’ Windows Mobile devices

References:
     · CVE: CVE-2009-0244
     · Bugtraq ID: 33359
     · Secunia: SA33598
     · SecurityReason: 4938
     · XF: htc-obexftp-directory-traversal (48124)


Summary



HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.


Description



Presently most Windows Mobile phones are shipped with a Bluetooth stack, which provides Bluetooth communications with other remote devices. Among all the Bluetooth services that may be implemented in the stack, File Transfer Profile (OBEX FTP) is the most common service.




The OBEX FTP Service

The OBEX FTP service can be used to share files over the Bluetooth wireless communications protocol. This service can be used for sending files from the phone to other remote devices but also allows remote devices to browse shared folders and download files from the phone.






Usually, the FTP service is configured in such a way that a specific directory is shared and the user can place here files to be shared. The default directory is My Device\My Documents\Bluetooth Share (in the English edition) or My Device\My Documents\Compartimiento de Bluetooth (in the Spanish edition). A different directory may be selected; however the user is not allowed to specify any directory of the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is for safety reasons, so users cannot expose sensitive files over Bluetooth.




The OBEX FTP Service Directory Traversal vulnerability

There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.

A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.




Requirements to exploit the vulnerability

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed.




Scope of the attack

The Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

An attacker can discover the structure of the file system and access to any directory within it, including:





Indeed the file system can be browsed through with Nautilus file explorer...






2) Download files without permission

An attacker can download sensitive files located anywhere in the file system, such as:


3) Upload malicious files

An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits.







About affected and non affected products



The following HTC devices are affected by this vulnerability: In order to confirm so, several devices were tested and all of them showed to be vulnerable: HTC TOUCH FIND™, HTC TOUCH DIAMOND™, HTC TOUCH PRO™, HTC TOUCH CRUISE™, HTC S710, HTC S740 and many more.


Non affected products


HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version.

HTC devices using Widcomm Bluetooth Stack instead of Microsoft Bluetooth Stack are not affected, presently only HTC TOUCH PRO2™.

Other vendors’ Windows Mobile devices are not affected either: ASUS, Samsung, LG, ...


Vendor Status



The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors’ Windows Mobile devices are not affected.

HTC Europe was contacted several times since 2009/02 until 2009/06. Through out this period of time I attempted to collaborate with the vendor and provided all the details concerning on the exploitation of the flaw. However, I failed to coordinate the disclosure of the advisory and release of the hotfix so finally I was forced to go public with all the information undisclosed.

Having the vulnerability been announced HTC commenced to release hotfixes.


Workaround



This vulnerability is published as a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

The vendor, HTC, has issued security hotfixes for the following vulnerable products: Wait for proper vendor response and get the latest security updates here.

Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list.


HTC TOUCH DIAMOND™, HTC TOUCH FIND™, HTC TOUCH PRO™, HTC TOUCH HD™, HTC TOUCH CRUISE™, HTC TOUCH DUAL™, HTC ADVANTAGE™ and HTC TOUCH PRO2™ are trademarks of HTC Corporation (HTC).

© 2005 - 2009 Alberto Moreno Tablado