MA-177.072009: MyCERT Alert - 0day in HTC (Windows Mobile) OBEX FTP Service - Directory Traversal 1.0 Introduction A critical vulnerability has been identified in HTC devices that running Windows Mobile 6 and Windows Mobile 6.1. Exploiting this vulnerability allows a remote authenticated attacker to list arbitrary directories and write or read arbitrary files. An attacker could leverage this bug for code execution by writing to the Startup folder. 2.0 Impact By exploiting this vulnerability, an attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device: - Browse directories located out of the limits of the default shared folder
- Download files without permission
- Upload malicious files
Executing malicious code is also possible by writing a startup script or upload the malicious file to the Startup folder. 3.0 Affected Products The following HTC devices are affected by this vulnerability: - HTC devices running Windows Mobile 6 Professional
- HTC devices running Windows Mobile 6 Standard
- HTC devices running Windows Mobile 6.1 Professional
- HTC devices running Windows Mobile 6.1 Standard
However, HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version. 4.0 Recommendation Due to the nature of 0day of exploit, HTC hasn't released any patches to address this vulnerability yet. However, users are recommended not to accept pairing or connection requests from unknown sources. It is also a good practice to delete old entries in the paired devices list once it is no longer in use. Generally, MyCERT advises the users of this product to be updated with
the latest security announcements by the vendor. MyCERT can be reached at: E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
