|
Full Disclosure
mailing list archives
[ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones
From: Research Infratech <research () infratech fr>
Date: Mon, 06 Feb 2006 17:56:23 +0100
[Software affected] Bluetooth Stack on Sony/Ericsson cell phones
[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models
[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - Phone DoS (reboot or shutdown) - White
screen bug (freeze sleeping)
[Credits] Pierre Betouin - pierre.betouin () infratech fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack
Smasher)
BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml
[Vendor] notified now
[Original advisory]
http://www.secuobs.com/news/05022006-bluetooth7.shtml#english
http://www.secuobs.com/news/05022006-bluetooth7.shtml#french
[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml
[PoC usage]
# ./reset_display_sonyericsson 00:12:EE:XX:XX:XX
[Details]
A short raw L2CAP packet such as :
08 01 01 00
It represents the following L2CAP header fields :
code L2CAP_ECHO_REQ;
ident 1
length 1
The "real" packet sent is, in fact, 4 bytes long.
The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3 (which is the size
of the L2CAP header here).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones Research Infratech (Feb 06)
|
Intro
