Nice work KF. /str0ke
On 8/12/05, Adam Laurie <[EMAIL PROTECTED]> wrote: > KF (lists) wrote: > > Adam Laurie wrote: > > > >> > >> Excuse me? You are skipping over the only important bit of your > >> "disclosure"! > > > > > > When did I claim this was a "disclosure", this was simply some notes > > that I have jotted down while messing around with bluetooth link keys. I > > was not "disclosing" and new vulnerabilities, I am simply documenting > > how things can be done after you have obtained a link key. I have not > > seen any documentation on this anywhere so I figured I would create it. > > My apologies - I took the posting to "full-disclosure" too literally... > You are right - background info is also useful for those that are > starting to get into this (rich) field of research... > > > If I could get some valid non pseudo code to calculate e22 and e21 I > > would gladly release some of my own. Apart from generic pseudo code I > > haven't seen any. Maybe you would like to share yours with the rest of us? > > I do not have that code, but I know it exists... > > > > >> Apart from a $10,000 sniffer? > >> > > Mine was only $1600, sounds like you got ripped off. =] > > Heh. No, mine cost me $0.00 :) > > >> Please explain - if you're "stealing" a key from a machine you're > >> running hcid on, then you already own that key anyway, surely? > > > > > > > > Who said I was stealing it from the machine I am running hcid on? > > > > Which would in turn allow a remote attacker to run commands on the > > machine running hcid. > > > > Maybe it would make you feel better if I said I took root on a linux box > > that I did not own and stole the /etc/blueooth/link_keys file. > > > > Or perhaps I stole /var/root/Library/Preferences/blued.plist off an OSX > > machine. > > > > I could have even taken it from \HKLM\SOFTWARE\Widcomm\BtConfig\Devices\ > > on a windows box that I had previously broken into. > > > > Fair point. Leverage one vulnerability to exploit another, and you have > a useful attack. > > >> > >> > >> You could try the "bdaddr" tool in the BlueZ package. > >> > > Good info! Is that documented somewhere or is it like the Ericsson > > opcode that was mysteriously left out of the documentation? > > AFAIK 'bdaddr -h' and the source are the only docs, but it works with > all of the dongles I've tried it with (all CSR based). Check with Marcel > for full capabilities, but I know it supports Ericsson, CSR and Zeevo. > > Once again, my apologies if I came across too critical - I really was > looking at your post from the wrong angle... > > cheers, > Adam > -- > Adam Laurie Tel: +44 (0) 20 7605 7000 > The Bunker Secure Hosting Ltd. Fax: +44 (0) 20 7605 7099 > Shepherds Building http://www.thebunker.net > Rockley Road > London W14 0DA mailto:[EMAIL PROTECTED] > UNITED KINGDOM PGP key on keyservers > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
