SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
From: "Research" <research@xxxxxxxxxxxxxxx>
Date: Wed, 11 Oct 2006 21:29:36 -0400
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: "Allen Wilson" <awilson@xxxxxxxxxxxxxxx>
Thread-index: Acbtnd+GrV9mrvefQZKeim1Jl0K5aA==
Thread-topic: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

SecureWorks Research Client Advisory
Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

October 11th, 2006

Summary:

A flaw exists in the Toshiba Bluetooth wireless device driver, used by
multiple vendors, that allows a remote attacker within wireless range of
a Bluetooth device to perform a denial-of-service (DoS) attack or
execute arbitrary code at the highest privilege level.

Scope:

Toshiba Bluetooth host stack implementations version 3.x
Toshiba Bluetooth host stack implementations version 4 through 4.00.35,
  including all shipping OEM versions are vulnerable.
Toshiba Bluetooth stacks running on 64-bit platforms are not vulnerable.
Toshiba is the OEM for multiple vendor Bluetooth stacks including, but
  not limited to:
      - Dell Computers
      - Sony Vaio
      - ASUS Computers
      - and possibly other brands.

Description:

Bluetooth is a standards-based wireless technology used for short-range
data communications between electronic devices.  The vulnerable
Bluetooth wireless device drivers are subject to potential attacks
through specially crafted Bluetooth packets.  An attacker can
potentially take advantage of these conditions to cause a memory
corruption, a system crash, and/or the execution of arbitrary code at
the highest privilege level.  An attacker would need to be within
approximately 10 meters of the victim.  Additionally, an attacker would
need the Bluetooth address of the victim's device.  Bluetooth addresses
are easily enumerated through active scanning if the device allows
discovery.

Detection:

Users of Toshiba's Bluetooth stack are encouraged to check the current
Bluetooth stack version by selecting:
      Version 3.x - "Device Properties...", then "General"
      Version 4.x - "Options", then "General", then "Details"

Toshiba has advised that security patches are normally offered for all
Bluetooth stacks.  Please consult the download details document for
further information.

Users of Dell Bluetooth products are encouraged to verify the presence
and version of their Bluetooth stack by double-clicking on the
Bluetooth icon in the system tray to open the Bluetooth client utility
and selecting "Help", then "About".

Recommendations:

Toshiba has recommended that affected users visit their Bluetooth
vendor's website for an updated Bluetooth stack.  If a patch is
unavailable, please visit the Toshiba Bluetooth website, which offers
security updates for all Bluetooth stacks including OEM versions, as
well as a Bluetooth Stack Security Pack at: 
http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php

Users of Dell Latitude D820/D620/D420/D520 are asked to verify the
version of their Bluetooth stack using the method described above.  If
your version is not 4.00.22(D) SP2 or newer, then it is recommended that
users upgrade to the latest driver versions located at
http://www.support.dell.com/.

Users of Dell Latitude D810/D610/D410/D510/X1 are asked to verify the
version of their Bluetooth stack using the method described above.  If
your version is not 4.00.20(D) SP2 or newer, then it is recommended
that users upgrade to the latest driver versions to be made available
by November 4th, 2006 at http://www.support.dell.com/.

Bluetooth device users should be set to non-discoverable mode during
normal operations to reduce risk from this and other potential future
Bluetooth attacks.

References:
SecureWorks Research Client Advisory
Multiple Vendor Bluetooth Stack Memory Corruption Vulnerability
      http://www.secureworks.com/press/20061011-dell.html

Toshiba: Bluetooth Download Page
     
http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php

Dell Support
      http://www.support.dell.com/

Buffer Overrun in Toshiba Bluetooth Stack for Windows
      http://trifinite.org/trifinite_advisory_toshiba.html

CVSS Scoring:

      Access Vector:      Remote
      Access Complexity:  High
      Authentication:     Not Required
      Confidentiality:    Complete
      Integrity:          Complete
      Availability:       Complete
      Impact Bias:        Normal
      Score:              8.0

Credits:

This vulnerability was discovered and researched by David Maynor of
SecureWorks, Inc. and Jon Ellch.  SecureWorks would like to thank
Christopher M. Davis and the entire Dell security response team as well
as Armin Scheruebl of Toshiba Europe GmbH and the Toshiba Bluetooth
Support team for their response and coordination.

About Secureworks

Please direct all security research related inquiries to:
Allen Wilson
(404) 417-3717
research@xxxxxxxxxxxxxxx

All media inquiries should be directed to:
Elizabeth Clarke
(404) 486-4492
eclarke@xxxxxxxxxxxxxxx

(c) Copyright 2006 SecureWorks, Inc.

This advisory may not be edited or modified in any way without the
express written consent of SecureWorks, Inc.  If you wish to reprint
this advisory or any portion or element thereof, please contact
research@xxxxxxxxxxxxxxx to seek permission.  Permission is hereby
granted to link to this advisory via the SecureWorks web-site at 
http://www.secureworks.com/press/20061011-dell.html or use in
accordance with the fair use doctrine of U.S. copyright laws.

Disclaimer: The information within this advisory may change without
notice.  The most recent version of this advisory may be found on the
SecureWorks web site at www.secureworks.com for a limited period of
time.  Use of this information constitutes acceptance for use in an
AS IS condition.  There are NO warranties, implied or otherwise, with
regard to this information or its use.  ANY USE OF THIS INFORMATION IS
AT THE USER'S RISK.  In no event shall SecureWorks be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information.

SecureWorks PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as
http://www.secureworks.com/researchcenter/publickey.html

Revision History:
1.0; October 11th, 2006 - Initial advisory release

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.0 (Build 1202)

wsBVAwUBRS1VJw81H4LOxRiGAQhlawf9GZJ3LPFVIDRtqDbKndBYRC2eCqIBJNr3
mfGXQPjQ6vu1KzaosBmZMhz+ws6UvZ3+xVsRESMVDWqtuKicqhQy/rPIy4QAt9qc
Geg9rIYQH1/hbdMbcDiSVKLUS2IRRMRMIo4GvjqN9U7jOg/N9luKOhJnVsAOKZAE
6E4dRwqLYCshHH6JyuaL5nGfYEFh9DOc2Q3jh/AQhXa8Ld3dd3OXBV/94HKCEmqT
gYId4Tdgm7ti6vnlSDT6Pa33fwi3vM0CIrdW0u0FgFwkB2pO3gzLOlEWcls1lQku
/B7X5aISfhgPJWkZoztiIg7dRom2gOUCDrg6qRkntGuCRTqSDXepBQ==
=TbdP
-----END PGP SIGNATURE-----

Prev by Date: MS06-060 Microsoft Word Memmove Code Execution
Next by Date: MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues
Previous by thread: MS06-060 Microsoft Word Memmove Code Execution
Next by thread: MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues
Index(es):
- Date
- Thread