lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <43E77FB7.5080200@infratech.fr>
Date: Mon Feb  6 17:23:10 2006
From: research at infratech.fr (Research Infratech)
Subject: [ Secuobs - Advisory ] Bluetooth : DoS on
	Sony/Ericsson cell phones

[Software affected] Bluetooth Stack on Sony/Ericsson cell phones

[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models

[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - Phone DoS (reboot or shutdown) - White screen bug (freeze sleeping)

[Credits] Pierre Betouin - pierre.betouin@...ratech.fr -  Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher) 

BSS could be downloaded on  http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth7.shtml#english
http://www.secuobs.com/news/05022006-bluetooth7.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml

[PoC usage]

# ./reset_display_sonyericsson 00:12:EE:XX:XX:XX

[Details]

A short raw L2CAP packet such as :

08 01 01 00

It represents the following L2CAP header fields :

code L2CAP_ECHO_REQ;
ident 1
length 1

The "real" packet sent is, in fact, 4 bytes long.

The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3 (which is the size of the L2CAP header here).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ