-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pentest Limited Security Advisory

Multiple vulnerabilities in Nokia phones.


Advisory Details
- ----------------

Title:                Multiple vulnerabilities in Nokia phones.
Announcement date:    9th February 2004
Advisory Reference:   ptl-2004-01
Product:              Nokia 6310i Mobile phone.
Vulnerability Type :  Buffer Overflow
Vendor-URL:           http://www.nokia.com/nokia/0,,133,00.html
Vendor-Status:        Vendor notified
Remotely Exploitable: Yes
Locally Exploitable:  N/A
Advisory URL:         http://www.pentest.co.uk/


Vulnerability Description
- -------------------------

The 6310i is a typical Nokia phone supporting both Bluetooth and
Infrared connectivity. Both of these connectivity methods support the
OBject EXchange (OBEX) protocol to transfer data to and from the phone.
By issuing various invalid OBEX message to the phone's protocol handler
it is possible to trigger one of several Denial of Service
vulnerabilities. This attack results in the phone resetting, terminating
any current operations. No device pairing is required therefore anyone
in range of the phone could initiate an attack.


Vulnerable Devices
- ------------------

The vulnerabilities were tested and confirmed on a Nokia 6310i.  Due to
the nature of the vulnerability it is suspected that similar Nokia
devices are also susceptible to malformed OBEX packets.

We have tested certain other devices and found them to be vulnerable.
Currently we are waiting for a fix from their manufacturers, at which
point we will release further information.

Any manufacturers of OBEX enabled devices are welcome to contact us and
we will provide them with the relevant test cases for them to reproduce
the vulnerabilities in thier devices.


Vendor Status
- -------------

- - Pentest Notification:           26-11-2003
- - Formally acknowledged by Nokia: 05-01-2004


Vendor Response
- ---------------

"Pentest Ltd. has sent new vulnerability research notes about
discovering that certain Bluetooth messages will crash the Nokia 6310(i)
phone. Attacker will be able to re-boot a victim's phone by sending a
malformatted Bluetooth OBEX-message. This can be considered as a
Denial-of-Service attack as it can stop phone calling etc. We have
recently repeated the attacks and found that there are some corrupted
Bluetooth messages that could crash the Nokia 6310(i) phone. After the
crash, the phone restarts and returns to normal operation.

In public places, where devices with Bluetooth technology might be
targets of malicious attacks at least in theory, the way to prevent
hackers is to set the device in non-discoverable mode - "hidden" - or
switch off the Bluetooth functionality. This does not affect other
functionalities of the phone."


Fix / Workarounds
- -----------------

No fix is currently available. However, exposure can be limited only
enabling Bluetooth when required. When Bluetooth is enabled, the device
should be in non-discoverable mode.


Credit
- ------

These vulnerabilities were discovered by Tim Hurman from Pentest Limited.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAJs6H4bMUolR4sycRAgXdAJ4meu9WbyepofpNQ0y4J5wXqQ2jFACdFB26
UcoS99/fURzRpgUK8c+G5Mw=
=YqoF
-----END PGP SIGNATURE-----