CVE-2009-0244

Name of the Vulnerable Software and Affected Versions Windows Mobile versions 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition Windows Mobile 6 Professional

Description A directory traversal issue in the OBEX FTP Service of the Microsoft Bluetooth stack allows remote authenticated users to list arbitrary directories, create or read arbitrary files, via a .. (dot dot) in a pathname. This can be leveraged for code execution by writing to a Startup folder.

Recommendations For Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, restrict access to the OBEX FTP Service to minimize the risk of exploitation. For Windows Mobile 6 Professional, consider disabling the OBEX FTP Service until a patch is available. Avoid using the .. (dot dot) sequence in pathnames for the OBEX FTP Service until the issue is resolved.