Monday, July 13, 2009

HTC / Windows Mobile OBEX FTP Service Directory Traversal Vulnerability Advisory

Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal
Author: Alberto Moreno Tablado
Vendor: HTC
Vulnerable Products:
- HTC devices running Windows Mobile 6
- HTC devices running Windows Mobile 6.1
Non vulnerable products:
- HTC devices running Windows Mobile 5.0
- HTC devices running Windows Mobile 6.5
- Other vendors' Windows Mobile devices


HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. The service is located in a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.

The scope of the Directory Traversal vulnerability allows a remote attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder, which may lead to code execution.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

The attacker can discover the structure of the file system and access to any directory within it, including:
- The flash hard drive
- The external storage card
- The internal mass storage memory, included in specific HTC devices

2) Download files without permission

The attacker can download sensitive files located anywhere in the file system, such as:
- personal pictures and documents located in \My Documents or any other directory
- Contacts, Calendar & Tasks information located in \PIM.vol
- Temporary internet cache and cookies located in \Windows\Profiles\guest
- emails located in \Windows\Messaging

3) Upload malicious files

The attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits.

The following HTC devices are affected by this vulnerability:
- HTC devices running Windows Mobile 6 Professional
- HTC devices running Windows Mobile 6 Standard
- HTC devices running Windows Mobile 6.1 Professional
- HTC devices running Windows Mobile 6.1 Standard

Here you can find a list of tested HTC devices proved to be vulnerable.

HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version.

Other vendors' Windows Mobile devices are not affected either: ASUS, Samsung, LG, ...

Vendor Status

The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors' Windows Mobile devices are not affected.

HTC Europe was contacted several times since 2009/02 until 2009/06. Through out this period of time I attempted to collaborate with the vendor and provided all the details concerning on the exploitation of the flaw. However, I failed to coordinate the disclosure of the advisory and the release of the hotfix so finally I was forced to go public with all the information undisclosed.

Having the vulnerability been announced HTC commenced to release hotfixes.

This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

Read the full advisory here.


Anonymous said...

Let me be the first to thank you for your diligent work and using the proper channels of communication to expose this flaw. HTC's reluctance to address this with a fix left you with no option but to make this public and I think you made the right choice. I have followed your workaround suggestions and appreciate your time.

Alberto said...

I appreciate your comment very much. I wasn't sure if I was doing right when disclosing the information related to this security flaw, but I really tried to collaborate with HTC first. After five months of conversations I couldn't confirm HTC was working on the issue nor intending to release a security fix, therefore I thought of going public so all users of HTC products could be aware of the issue.

Thank you for your comment.

Anonymous said...

I would like to point out that this vulnerability does not exist in ALL HTC smartphones running Windows Mobile 6. Models that use the Widcomm Bluetooth Stack provided by Broadcom Corporation (such as the Touch Pro 2) do not contain this vulnerability.

Alberto said...

Thank you for your comment.

Honestly, I have just found out that there exist HTC phones with a different Bluetooth stack.

It's obvious I couldn't test ALL HTC devices commercialized, I just tested most of them and then suppose that others may be affected too. I tested HTC P3600i, HTC TOUCH FIND, HTC S710, HTC P3650, HTC TOUCH DIAMOND, HTC TOUCH PRO, HTC TOUCH CRUISE, HTC TOUCH CRUISE (09) and HTC S740.

If there exist HTC smartphones running Widcomm Bluetooth Stack these can only be the last shipped ones: HTC TOUCH PRO 2, HTC TOUCH DIAMOND 2 and/or HTC SNAP. The HTC TOUCH HD uses Microsoft Bluetooth Stack but does not have installed the OBEX FTP Service.

I will try to test these smartphones as soon as I have the chance and check whether these models use Microsoft/Widcomm Bluetooth Stack and do or do not contain this vulnerability. In that case, I'll publish an update on the advisory.

Please, if you know any other HTC smartphone using Widcomm Bluetooth Stack feel free to comment.

Thanks again.

Alberto said...

As far as it has been confirmed to me, only HTC TOUCH PRO 2 uses Widcomm Bluetooth Stack and therefore is not vulnerable. No further products.

Alberto said...

HTC TOUCH DIAMOND 2 is vulnerable. HTC released the security fix for this specific product.