Nokia 9500 vCard Viewer Remote Denial of Service Vulnerability A similar descriptor overflow bug can be observed on Nokia 9500 handsets, which occurs when the viewer reads a specially crafted vCard. To this author's knowledge this bug was also never previously published, thus it will be briefly described. Lets start by introducing vCard. Simply stated, it is an electronic business card. It contains information such as someone's name, address, phone number, and so on. The vCard is also commonly used for contact information exchange between handsets using the Bluetooth PIM Item Transfer (OBEX Object Push), which is also supported by the Nokia 9500 Communicator. However, the vCard viewer application on Nokia 9500 has quite a trivial bug. When opening the vCard with a name (N: field) longer than 245 characters, the Nokia 9500 vCard viewer (Text message viewer) will crash resulting in a USER Panic 11 -- the same error as in previously described P900 Beamer application bug. The sample corrupted vCard file looks as follow: --- Nokia9500.vcf --- BEGIN:VCARD VERSION:2.1 N:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;BIALOGLOWY FN:Marek Bialoglowy ORG:INDEPENDENT TITLE:COO TEL;WORK;VOICE:+6221 TEL;WORK;FAX; ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Indonesia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Indonesia URL;WORK; EMAIL;PREF;INTERNET:bialoglowy@gmail.com REV:20050430T1958490 END:VCARD --- Nokia9500.vcf --- In order to observe the effect of the vulnerability, we have to first import the vCard to a contact manager and send it via Bluetooth to the handset. During my tests I simply imported the vCard to Microsoft Outlook and used the Send to Bluetooth feature to send it to the Nokia 9500. Transferring the vCard as a file will not work. At this stage, interaction with the phone's user is required. The authorization for a vCard transfer will be requested by the phone. If the transfer was accepted by the user, the new business card will appear in the phone. Here, one more interaction with the user will be required, where user has to open the Business card. A few seconds after confirmation, the viewer will automatically open the vCard and crash due to the name field exceeding descriptor length, resulting in previously described USER Panic 11. Fortunately for users, true exploitation of this type of vulnerability on Symbian based phones seems not to be possible. The use of descriptors prevents smashing of the stack, more commonly known as buffer overflow exploitation. Additionally, the corresponding Symbian application runs at low privilege level. Therefore, the Symbian OS design prevents one from compromising the device's security even under the condition that a running application may be incorrectly programmed. However, there is always a chance that sometime in the near future someone may still benefit from this type of vulnerability in some other way. This would be an interesting discussion but is outside of the scope of the current article.