[VulnWatch] ptl-2004-01: Multiple vulnerabilities in Nokia phones

From: Pentest Security Advisories (alerts_at_pentest.co.uk)
Date: 02/09/04

  • Next message: Ferruh Mavituna: "[VulnWatch] Brinskter Multiple Vulnerabilities"
    Date: Mon, 09 Feb 2004 19:11:40 +0000
    To: vulnwatch@vulnwatch.org

    Hash: SHA1

    Pentest Limited Security Advisory

    Multiple vulnerabilities in Nokia phones.

    Advisory Details
    - ----------------

    Title: Multiple vulnerabilities in Nokia phones.
    Announcement date: 9th February 2004
    Advisory Reference: ptl-2004-01
    Product: Nokia 6310i Mobile phone.
    Vulnerability Type : Buffer Overflow
    Vendor-URL: http://www.nokia.com/nokia/0,,133,00.html
    Vendor-Status: Vendor notified
    Remotely Exploitable: Yes
    Locally Exploitable: N/A
    Advisory URL: http://www.pentest.co.uk/

    Vulnerability Description
    - -------------------------

    The 6310i is a typical Nokia phone supporting both Bluetooth and
    Infrared connectivity. Both of these connectivity methods support the
    OBject EXchange (OBEX) protocol to transfer data to and from the phone.
    By issuing various invalid OBEX message to the phone's protocol handler
    it is possible to trigger one of several Denial of Service
    vulnerabilities. This attack results in the phone resetting, terminating
    any current operations. No device pairing is required therefore anyone
    in range of the phone could initiate an attack.

    Vulnerable Devices
    - ------------------

    The vulnerabilities were tested and confirmed on a Nokia 6310i. Due to
    the nature of the vulnerability it is suspected that similar Nokia
    devices are also susceptible to malformed OBEX packets.

    We have tested certain other devices and found them to be vulnerable.
    Currently we are waiting for a fix from their manufacturers, at which
    point we will release further information.

    Any manufacturers of OBEX enabled devices are welcome to contact us and
    we will provide them with the relevant test cases for them to reproduce
    the vulnerabilities in thier devices.

    Vendor Status
    - -------------

    - - Pentest Notification: 26-11-2003
    - - Formally acknowledged by Nokia: 05-01-2004

    Vendor Response
    - ---------------

    "Pentest Ltd. has sent new vulnerability research notes about
    discovering that certain Bluetooth messages will crash the Nokia 6310(i)
    phone. Attacker will be able to re-boot a victim's phone by sending a
    malformatted Bluetooth OBEX-message. This can be considered as a
    Denial-of-Service attack as it can stop phone calling etc. We have
    recently repeated the attacks and found that there are some corrupted
    Bluetooth messages that could crash the Nokia 6310(i) phone. After the
    crash, the phone restarts and returns to normal operation.

    In public places, where devices with Bluetooth technology might be
    targets of malicious attacks at least in theory, the way to prevent
    hackers is to set the device in non-discoverable mode - "hidden" - or
    switch off the Bluetooth functionality. This does not affect other
    functionalities of the phone."

    Fix / Workarounds
    - -----------------

    No fix is currently available. However, exposure can be limited only
    enabling Bluetooth when required. When Bluetooth is enabled, the device
    should be in non-discoverable mode.

    - ------

    These vulnerabilities were discovered by Tim Hurman from Pentest Limited.

    Version: GnuPG v1.2.3 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    -----END PGP SIGNATURE-----

  • Next message: Ferruh Mavituna: "[VulnWatch] Brinskter Multiple Vulnerabilities"