SatScan
21st January 2009, 07:48 PM
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others (like Widcomm Bluetooth stack). Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service (http://en.wikipedia.org/wiki/OBEX) can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files.
...
There exists a Directory Traversal vulnerability (http://en.wikipedia.org/wiki/Directory_traversal) in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP (http://openobex.sourceforge.net/obexftp.html) or gnomevfs-ls to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user
...
http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
OBEX FTP Bluetooth service (http://en.wikipedia.org/wiki/OBEX) can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files.
...
There exists a Directory Traversal vulnerability (http://en.wikipedia.org/wiki/Directory_traversal) in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP (http://openobex.sourceforge.net/obexftp.html) or gnomevfs-ls to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user
...
http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html