Sony Ericsson P900 Beamer Malformed File Name Handling Denial of Service Vulnerability

In order to prove that Bluetooth related application vulnerabilities
can and do exist on mobile phones, this article now presents a
previously unpublished vulnerability in the Beamer application
found on Sony Ericsson P900. Other headsets such as the SE P800 may be affected as well.

The vulnerability itself is trivial. When sending (pushing) a file to a vulnerable
phone using obexftp and Obex File Transfer or OBEX Object Push,
and when using a remote filename longer than 197 characters,
the Beamer application crashes and USER Panic 11 is raised.

To see the effect yourself simply modify the 743 line (obexftp 0.10.6 version)
of obexftp client.c file to send more than 197 characters
as remotename in obexftp_put_file function, as shown below.

---- snip ---
object = build_object_from_file (cli->obexhandle,localname, \ 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
---- snip ---

After compilation of the modified code, simply execute the obexftp (set the right BT address and chose any existing file):

# ./obexftp -b 00:0A:D9:E7:0B:1D --channel 2 -p /etc/passwd -v

Then after the execution of obexftp, the Beamer thread on the P900
handset will result in a USER Panic 11, which usually occurs when
an operation that moves or copies data to a 16 bit variant descriptor
causes the length of that descriptor to exceed its maximum length.
The offending thread is also immediately killed when the panic is raised.

The descriptor overflow vulnerabilities are surprisingly common on various mobile phones.