Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11321
HistoryFeb 07, 2006 - 12:00 a.m.

[ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones

2006-02-0700:00:00
vulners.com
13
JSON

[Software affected] Bluetooth Stack on Sony/Ericsson cell phones

[Version] Sony/Ericsson K600i, V600i, W800i, T68i and certainly other models

[Impact] Bluetooth Stack Denial of Service (may be more - may be a rootkit :) - Phone DoS (reboot or
shutdown) - White screen bug (freeze sleeping)

[Credits] Pierre Betouin - [email protected] - Bug found with BSS v0.6 GPL fuzzer (Bluetooh
Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] notified now

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth7.shtml#english
http://www.secuobs.com/news/05022006-bluetooth7.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth6.shtml

[PoC usage]

./reset_display_sonyericsson 00:12:EE:XX:XX:XX

[Details]

A short raw L2CAP packet such as :

08 01 01 00

It represents the following L2CAP header fields :

code L2CAP_ECHO_REQ;
ident 1
length 1

The "real" packet sent is, in fact, 4 bytes long.

The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3
(which is the size of the L2CAP header here).

JSON