[Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Henryk Plötz]

[-- Attachment #1: Type: text/plain, Size: 2342 bytes --]

Moin,

(I'm using a Gentoo Linux box with kernel 2.6.12.1, hcid 2.18 and
kbluepin from kbluetoothd 0.99-beta1; although the problem seems 
to still exist in current CVS hcid and should be independent of 
the pin helper used.)

I just stumbled upon a bug in hcid that can possibly be used as a
security vulnerability: In hcid/security.c (around line 335 in current
CVS) the device name from the remote device is copied straight into the
command line that is used to call the pin helper, only surrounded by a
pair of single quotes with _no_ _escaping_ done:

| read_device_name(sba, &ci->bdaddr, name);
| //hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
|
| ba2str(&ci->bdaddr, addr);
| snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
|                                 ci->out ? "out" : "in", addr, name);

At the very least this leads to failures when the remote device uses
single quotes in its name. E.g. something like "Henryk's Phone" (without 
the double quotes) will give 

Aug  5 03:41:03 gleam hcid[24398]: PIN helper exited abnormally with code 512

in the syslog and 

sh: -c: line 0: unexpected EOF while looking for matching `''
sh: -c: line 1: syntax error: unexpected end of file

at stderr when running hcid -n (this is how I originally found the 
problem).

However, something more creative like "';touch '/tmp/foo23" (again 
without the double quotes) will actually execute a program on the 
attacked box (and create a file /tmp/foo23 in this case). For 
reference: in strace this looks like this:

execve("/bin/sh", ["sh", "-c", "/usr/lib/kdebluetooth/kbluepin out 00:0E:ED:00:23:42 \'\';touch \'/tmp/foo23\'"], [/* 62 vars */]) = 0

(note that the conversion from ' to \' was done by strace)

Using this vulnerability one can also create pairings without approval
of the user: Setting the bluetooth device name to something like
"'>/dev/null&echo 'PIN:42" (without the double quotes) and then trying 
to create a pairing with a bluez box will override the decision of the 
pin helper and always set 42 as the PIN.

PS: Thanks to roh and Sascha from the CCC Berlin.
-- 
Henryk Plötz
Grüße aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Marcel Holtmann]

Hi Henryk,

> (I'm using a Gentoo Linux box with kernel 2.6.12.1, hcid 2.18 and
> kbluepin from kbluetoothd 0.99-beta1; although the problem seems 
> to still exist in current CVS hcid and should be independent of 
> the pin helper used.)
> 
> I just stumbled upon a bug in hcid that can possibly be used as a
> security vulnerability: In hcid/security.c (around line 335 in current
> CVS) the device name from the remote device is copied straight into the
> command line that is used to call the pin helper, only surrounded by a
> pair of single quotes with _no_ _escaping_ done:
> 
> | read_device_name(sba, &ci->bdaddr, name);
> | //hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
> |
> | ba2str(&ci->bdaddr, addr);
> | snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
> |                                 ci->out ? "out" : "in", addr, name);
> 
> At the very least this leads to failures when the remote device uses
> single quotes in its name. E.g. something like "Henryk's Phone" (without 
> the double quotes) will give 
> 
> Aug  5 03:41:03 gleam hcid[24398]: PIN helper exited abnormally with code 512
> 
> in the syslog and 
> 
> sh: -c: line 0: unexpected EOF while looking for matching `''
> sh: -c: line 1: syntax error: unexpected end of file
> 
> at stderr when running hcid -n (this is how I originally found the 
> problem).
> 
> However, something more creative like "';touch '/tmp/foo23" (again 
> without the double quotes) will actually execute a program on the 
> attacked box (and create a file /tmp/foo23 in this case). For 
> reference: in strace this looks like this:
> 
> execve("/bin/sh", ["sh", "-c", "/usr/lib/kdebluetooth/kbluepin out 00:0E:ED:00:23:42 \'\';touch \'/tmp/foo23\'"], [/* 62 vars */]) = 0
> 
> (note that the conversion from ' to \' was done by strace)
> 
> Using this vulnerability one can also create pairings without approval
> of the user: Setting the bluetooth device name to something like
> "'>/dev/null&echo 'PIN:42" (without the double quotes) and then trying 
> to create a pairing with a bluez box will override the decision of the 
> pin helper and always set 42 as the PIN.
> 
> PS: Thanks to roh and Sascha from the CCC Berlin.

thanks for catching this problem. Do you have a fix for it?

Regards

Marcel




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Henryk Plötz]

[-- Attachment #1.1: Type: text/plain, Size: 781 bytes --]

Moin,

Am Fri, 05 Aug 2005 05:16:34 +0200 schrieb Marcel Holtmann:

> thanks for catching this problem. Do you have a fix for it?

Now I have, I think. Doing string escaping in C is really awkward, but
this patch should prefix all occurences of ", \, $ or ` in the name with
an \, and will also change the enclosing single quotes to double quotes
(because no escaping is possible in single quotes). There would also be
an alternative way to fix it: remove the popen() and instead do a
pipe()/fork()/dup2()/execv() combination. That should be more clean, but
likely more complicated.

-- 
Henryk Plötz
Grüße aus Berlin
~~~~~~~ Un-CDs, nein danke! http://www.heise.de/ct/cd-register/ ~~~~~~~
~ Help Microsoft fight software piracy: Give Linux to a friend today! ~

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: callpinhelper.patch --]
[-- Type: text/x-patch; name="callpinhelper.patch", Size: 1249 bytes --]

--- security.c.orig	2005-08-05 05:34:15.000000000 +0200
+++ security.c	2005-08-05 06:18:14.000000000 +0200
@@ -306,7 +306,7 @@ static void call_pin_helper(int dev, bda
 {
 	pin_code_reply_cp pr;
 	struct sigaction sa;
-	char addr[18], str[255], *pin, name[249];
+	char addr[18], str[255], *pin, name[249], escapename[498];
 	FILE *pipe;
 	int ret, len;
 
@@ -331,9 +331,28 @@ static void call_pin_helper(int dev, bda
 	read_device_name(sba, &ci->bdaddr, name);
 	//hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
 
+	/* Escape special chars from the remote name */
+	{
+		char *src = name, *dest = escapename, 
+		    *end = name + sizeof(name) - 1;
+		while (src < end && *src != 0) {
+			switch(*src) {
+				case '\"': /* fall-through */
+				case '$':
+				case '`':
+				case '\\': 
+					*dest++ = '\\';
+				default:
+					*dest++ = *src++;
+	    		}
+		}
+		*dest = 0;
+	}
+
 	ba2str(&ci->bdaddr, addr);
-	snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
-					ci->out ? "out" : "in", addr, name);
+	snprintf(str, sizeof(str), "%s %s %s \"%s\"", hcid.pin_helper,
+					ci->out ? "out" : "in", addr, 
+					escapename);
 
 	setenv("PATH", "/bin:/usr/bin:/usr/local/bin", 1);
 

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Marcel Holtmann]

Hi Henryk,

> > thanks for catching this problem. Do you have a fix for it?
> 
> Now I have, I think. Doing string escaping in C is really awkward, but
> this patch should prefix all occurences of ", \, $ or ` in the name with
> an \, and will also change the enclosing single quotes to double quotes
> (because no escaping is possible in single quotes). There would also be
> an alternative way to fix it: remove the popen() and instead do a
> pipe()/fork()/dup2()/execv() combination. That should be more clean, but
> likely more complicated.

the final patch looks a little bit different, but it is now fixed in the
CVS tree. Thanks.

Regards

Marcel




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Steven Singer]

Marcel Holtmann wrote:
> Henryk Plötz wrote:
>> I just stumbled upon a bug in hcid that can possibly be used as a
>> security vulnerability: ...
> thanks for catching this problem. Do you have a fix for it?

On behalf of everyone at Unplugfest with whom you've been doing security
testing, I'd just like to say, using my best impression of Nelson Muntz
from The Simpsons, "Ha Ha!".

:-)

	- Steven
-- 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Possible security vulnerability in hcid when calling pin helper

[Marcel Holtmann]

Hi Steven,

> >> I just stumbled upon a bug in hcid that can possibly be used as a
> >> security vulnerability: ...
> > thanks for catching this problem. Do you have a fix for it?
> 
> On behalf of everyone at Unplugfest with whom you've been doing security
> testing, I'd just like to say, using my best impression of Nelson Muntz
> from The Simpsons, "Ha Ha!".
> 
> :-)

what should I say? Sh* happens. I am still afraid of that day when I
have to hack into BlueZ. And this day will come ;)

Regards

Marcel




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel