From: "Henryk Plötz" <henryk@ploetzli.ch>
To: bluez-devel@lists.sourceforge.net
Subject: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper
Date: Fri, 5 Aug 2005 05:09:32 +0200 [thread overview]
Message-ID: <20050805050932.3111586d.henryk@ploetzli.ch> (raw)
[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]
Moin,
(I'm using a Gentoo Linux box with kernel 2.6.12.1, hcid 2.18 and
kbluepin from kbluetoothd 0.99-beta1; although the problem seems
to still exist in current CVS hcid and should be independent of
the pin helper used.)
I just stumbled upon a bug in hcid that can possibly be used as a
security vulnerability: In hcid/security.c (around line 335 in current
CVS) the device name from the remote device is copied straight into the
command line that is used to call the pin helper, only surrounded by a
pair of single quotes with _no_ _escaping_ done:
| read_device_name(sba, &ci->bdaddr, name);
| //hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
|
| ba2str(&ci->bdaddr, addr);
| snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
| ci->out ? "out" : "in", addr, name);
At the very least this leads to failures when the remote device uses
single quotes in its name. E.g. something like "Henryk's Phone" (without
the double quotes) will give
Aug 5 03:41:03 gleam hcid[24398]: PIN helper exited abnormally with code 512
in the syslog and
sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file
at stderr when running hcid -n (this is how I originally found the
problem).
However, something more creative like "';touch '/tmp/foo23" (again
without the double quotes) will actually execute a program on the
attacked box (and create a file /tmp/foo23 in this case). For
reference: in strace this looks like this:
execve("/bin/sh", ["sh", "-c", "/usr/lib/kdebluetooth/kbluepin out 00:0E:ED:00:23:42 \'\';touch \'/tmp/foo23\'"], [/* 62 vars */]) = 0
(note that the conversion from ' to \' was done by strace)
Using this vulnerability one can also create pairings without approval
of the user: Setting the bluetooth device name to something like
"'>/dev/null&echo 'PIN:42" (without the double quotes) and then trying
to create a pairing with a bluez box will override the decision of the
pin helper and always set 42 as the PIN.
PS: Thanks to roh and Sascha from the CCC Berlin.
--
Henryk Plötz
Grüße aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2005-08-05 3:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-05 3:09 Henryk Plötz [this message]
2005-08-05 3:16 ` [Bluez-devel] Possible security vulnerability in hcid when calling pin helper Marcel Holtmann
2005-08-05 4:39 ` Henryk Plötz
2005-08-05 8:39 ` Marcel Holtmann
2005-08-05 11:06 ` Steven Singer
2005-08-05 11:12 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050805050932.3111586d.henryk@ploetzli.ch \
--to=henryk@ploetzli.ch \
--cc=bluez-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox