Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnwatch: [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones

[ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones

From: Research Infratech <research_at_infratech.fr>
Date: Tue, 07 Feb 2006 03:54:26 +0100

[Software affected] Bluetooth Stack on Sony/Ericsson cell phones

[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models

[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - Phone DoS (reboot or shutdown) - White screen bug (freeze sleeping)

[Credits] Pierre Betouin - pierre.betouin_at_infratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth7.shtml#english
http://www.secuobs.com/news/05022006-bluetooth7.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml

[PoC usage]

# ./reset_display_sonyericsson 00:12:EE:XX:XX:XX

[Details]

A short raw L2CAP packet such as :

08 01 01 00

It represents the following L2CAP header fields :

code L2CAP_ECHO_REQ;
ident 1
length 1

The "real" packet sent is, in fact, 4 bytes long.

The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3 (which is the size of the L2CAP header here).
Received on Feb 07 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos