UW Computer Security Research and Course Blog

A recent vulnerability discovered in the Windows Mobile Bluetooth server allows access to all files. This vulnerability is a simple directory traversing problem, simply using “../” or “..\\” allows for traversal outside
of the directory. Users of Windows Mobile 6 and the Bluetooth OBEX-FTP server are vulnerable. Most Windows Mobile 6 devices come with the default stack.

Windows Mobile 6 is the current generation of Windows Mobile produced by Microsoft.

This is a fairly serious vulnerability since attackers could copy or upload arbitrary files to any directory on the device. Possibly avenues could include viruses, loggers, and trojans. However, the issue is mitigated by the fact
that (as with most bluetooth devices) the device must be paired before any communications can transpire. This usually requires the consent of the owner.

Since parent directory traversal issues are well known and implemented in almost any server (e.g. web servers), it is surprising that such a vulnerability was able to pass through testing. Although it is required that the owner give consent to any pairing, it is unlikely that the owner would like to give arbitrary access to all files on his device. A security review should have found this issue, since file server and directory traversal tend to go hand in hand.

Hopefully, this vulnerability would be addressed soon and give enough of a kick to Microsoft to look into any other vulnerabilities that Mobile 6 platform may have. This is not the only security issue to have been found on the bluetooth stack. A denial of service vulnerabiilty was found in the way Bluetooth device names were advertised, allowing attackers to reboot the device remotely.

(Source..)