CVE-2009-0244

Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:microsoft:windows_mobile:5.0:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:5.0:*:pocket_pc:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:5.0:*:smartphone:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:pro:*:*:*:*:*
cpe:2.3:o:microsoft:windows_mobile:6.0:*:standard:*:*:*:*:*

History

26 Jan 2024, 17:53

Type Values Removed Values Added
References (MISC) http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html - Exploit (MISC) http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html - Broken Link, Exploit
References (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/48124 - (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/48124 - Third Party Advisory, VDB Entry
References (BID) http://www.securityfocus.com/bid/33359 - (BID) http://www.securityfocus.com/bid/33359 - Broken Link, Third Party Advisory, VDB Entry
References (SECUNIA) http://secunia.com/advisories/33598 - (SECUNIA) http://secunia.com/advisories/33598 - Broken Link
References (SREASON) http://securityreason.com/securityalert/4938 - (SREASON) http://securityreason.com/securityalert/4938 - Exploit
References (BUGTRAQ) http://www.securityfocus.com/archive/1/500199/100/0/threaded - (BUGTRAQ) http://www.securityfocus.com/archive/1/500199/100/0/threaded - Broken Link, Third Party Advisory, VDB Entry
CVSS v2 : 8.5
v3 : unknown
v2 : 8.5
v3 : 8.8

Information

Published : 2009-01-21 20:30

Updated : 2024-02-28 11:21


NVD link : CVE-2009-0244

Mitre link : CVE-2009-0244

CVE.ORG link : CVE-2009-0244


JSON object : View

Products Affected

microsoft

  • windows_mobile
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')