Motorola P2K Platform setpath() overflow in OBEX File Transfer Author: Kevin Finisterre Vendor: http://www.motorola.com Product: 'Motorola PEBL U6, Motorola V600, other Motorola P2k based phones?' References: http://www.digitalmunition.com/DMA[2006-0321a].txt http://www.motorola.com/motoinfo/product/details/0,,11,00.html http://www.motorola.com/motoinfo/product/details/0,,87,00.html http://www.digitalmunition.com/P1010048.JPG Description: Motorola is known around the world for innovation and leadership in wireless and broadband communications. Inspired by a vision of Seamless Mobility, the people of Motorola are committed to helping you get and stay connected simply and seamlessly. Recently I had the pleasure of experiencing 2 of Morotola's phones, the PEBL U6 and the V600. Radiating mystery and intrigue, the understated elegance of the Motorola PEBL elevates mobile design to a new level. And with its stunning looks and killer functionality, the Motorola V600 cellular phone is a sleek statement of sophistication and intelligence for mobile trendsetters who demand the very best. Each of the phones has exhibited interesting behavior with regard to Bluetooth functionality. The PEBL handset for example is subject to a post-authentication Buffer Overflow via OBEX File Transfer. Both phones are also vulnerable to a pre-authentication user interface spoofing issue. This document seeks to inform Motorola users about the issues at hand and to describe both issues in detail. Based on internal markings, my Motorola PEBL is a model U6 (G8/9/18/19) S/W 08.83.76R. It was purchased from a T-Mobile store in Columbus, Ohio (USA) on 2/10/2006. The following file transfer service is available on channel 9 of my PEBL: Service Name: OBEX File Transfer Service Description: OBEX File Transfer Service Provider: T-Mobile Service RecHandle: 0x10009 Service Class ID List: "OBEX File Transfer" (0x1106) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 9 "OBEX" (0x0008) Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 code_ISO639: 0x6672 encoding: 0x6a base_offset: 0xc800 code_ISO639: 0x6573 encoding: 0x6a base_offset: 0xc803 code_ISO639: 0x7074 encoding: 0x6a base_offset: 0xc806 Profile Descriptor List: "OBEX File Transfer" (0x1106) Version: 0x0100 After pairing with the phone an attacker can send a long OBEX setpath() and completely crash the handset. The user interface will go completely unresponsive and any active calls will be dropped. After about 15 to 20 seconds the device completely turns off. The user must push the power button in order to use the device further. Code execution may be possible however the debugging capabilities on the PEBL are minimal. Access to Motorola debugging tools may provide further information about the possibility of code execution. A proof of concept java .class was created to trigger the issue. The PoC requires the Avetana Bluetooth Stack demo avetanaBluetooth.jar and a java compiler. Please note that it is also necessary to pair with the device prior to connecting to the FTP service. k-fs-ibook:~/Desktop kf$ javac PEBL-p00py.java k-fs-ibook:~/Desktop kf$ java PEBL-p00py avetanaBluetooth version 1.3.4 Local name K F?s iBook Local address 11-22-33-44-55-66 Device class 102104 License valid until 24.02.06 Possibilities array 3F License-ID 2217 connected java.io.IOException: Connection closed (The phone is now dead at this point)