Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell

from [Research Infratech] Network Security [Permanent Link]
Subject: [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones
Date: Tue, 07 Feb 2006 03:54:26 +0100 
[Software affected] Bluetooth Stack on Sony/Ericsson cell phones

[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models

[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - 
Phone DoS (reboot or shutdown) - White screen bug (freeze sleeping)

[Credits] Pierre Betouin - pierre.betouin@infratech.fr -  Bug found with BSS 
v0.6 GPL fuzzer (Bluetooh Stack Smasher) 

BSS could be downloaded on  
http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth7.shtml#english
http://www.secuobs.com/news/05022006-bluetooth7.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml

[PoC usage]

# ./reset_display_sonyericsson 00:12:EE:XX:XX:XX

[Details]

A short raw L2CAP packet such as :

08 01 01 00

It represents the following L2CAP header fields :

code L2CAP_ECHO_REQ;
ident 1
length 1

The "real" packet sent is, in fact, 4 bytes long.

The DoS can be triggered when the length sent in the L2CAP field is equal to 
the real length minus 3 (which is the size of the L2CAP header here).
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones, Research Infratech <=
Previous by Date:  High Risk Vulnerability in Lexmark Printer Sharing Service, NGSSoftware Insight Security Research
Next by Date:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC, Research Infratech
Previous by Thread:  High Risk Vulnerability in Lexmark Printer Sharing Service, NGSSoftware Insight Security Research
Next by Thread:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC, Research Infratech
Indexes:  [Date] [Thread] [Top] [All Lists]