HTC refuses to fix Bluetooth FTP vulnerability

HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder. We wrote about this vulnerability in January this year, but since then HTC has done nothing to fix it.

The vulnerability is in a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects HTC devices specifically. HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version. Other vendors of Windows Mobile devices such as ASUS, Samsung, LG are not affected.

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

An attacker can discover the structure of the file system and access to any directory within it, including:
– The flash hard drive
– The external storage card
– The internal mass storage memory, included in specific HTC devices

2) Download files without permission

An attacker can download sensitive files located anywhere in the file system, such as:
– personal pictures and documents located in \My Documents or any other directory
– Contacts, Calendar & Tasks information located in \PIM.vol
– Temporary internet cache and cookies located in \Windows\Profiles\guest\
– emails located in \Windows\Messaging

3) Upload malicious files

An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile boots.

You can find a list of tested HTC devices proved to be vulnerable are available here.

The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors Windows Mobile devices are not affected.

HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw.

This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

Mitigation by users would be not to accept pairing nor connection requests from unknown sources and delete old entries in the paired devices list.

Read more at Packetstormsecurity here.