[TOOL] BSS (Bluetooth Stack Smasher) Fuzzer

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



BSS (Bluetooth Stack Smasher) Fuzzer
------------------------------------------------------------------------


SUMMARY



DETAILS

BSS (Bluetooth Stack Smasher) is a L2CAP layer Fuzzer for Linux,
distributed under GPL licence.
BSS requires the standard bluetooth library.

BSS Usage :
Usage: ./bss [-s size] [-m mode] [-p pad_byte for modes 1-11] [-M
maxcrash]
Modes :
0 All mode listed below
1 L2CAP_COMMAND_REJ
2 L2CAP_CONN_REQ
3 L2CAP_CONN_RSP
4 L2CAP_CONF_REQ
5 L2CAP_CONF_RSP
6 L2CAP_DISCONN_REQ
7 L2CAP_DISCONN_RSP
8 L2CAP_ECHO_REQ
9 L2CAP_ECHO_RSP
10 L2CAP_INFO_REQ
11 L2CAP_INFO_RSP
12 L2CAP Random Fuzzing (-s: max_size) (-M: crashcount)

BSS Example:
/bss -s 100 -m 12 -M 0 XX:XX:XX:XX:XX:XX

This example sends short random (mode 12) packets (maxsize is set to 100
bytes), in an infinite loop (-M 0).

Performs several L2CAP checks sending malicious packets (L2CAP)

Initial source code analysis from tanya tool (tbear)

Other example of use (short random L2CAP packets):

/bss -s 50 -m 12 00:12:EE:XX:XX:XX
......

00:12:EE:XX:XX:XX BT stack may have crashed. This device seems to be
vulnerable to buggy packets. Please, ensure that the device has really
crashed doing a bt scan for instance.

Host 00:12:EE:XX:XX:XX
Packet size 11

Packet dump

0x75 0x3F 0x1E 0x3B 0x0B 0xBD 0xC4 0x98 0xBB 0x72 0xD0

char replay_buggy_packet[]="\x75\x3F\x1E\x3B\x0B\xBD
\xC4\x98\xBB\x72\xD0";

Then, try to ensure that this packet is responsible (and only this one
:sometimes, cellphones crash because of multiple packets, or flooding
effects) :

cd replay_packet

Edit replay_l2cap_packet.c and modify SIZE and replay_buggy_packet :

#define SIZE 11
char replay_buggy_packet[]="\x75\x3F\x1E\x3B\x0B\xBD\xC4\x98\xBB\x72\xD0";

Then, type make :

make

and try this packet against your equipment :

/replay_l2cap_packet 00:12:EE:XX:XX:XX


TIPS:
* In order to benchmark BT implementation, you may want to use time
command :
time ./bss -m 12 00:12:EE:XX:XX:XX

* You may increase -M value, which allows you to go on fuzzing even if
some packets have not been sent to the equipment : some devices may crash
because of flooding for instance. 0 means an infinite loop.


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@xxxxxxxxxxxx>
Research Infratech.
For the latest version of the tool visit the project's homepage at:
<http://www.secuobs.com/news/05022006-bluetooth10.shtml>
http://www.secuobs.com/news/05022006-bluetooth10.shtml



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages