[NT] Toshiba Bluetooth Stack for Windows Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 22 Jun 2006 17:39:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Toshiba Bluetooth Stack for Windows Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Toshiba Bluetooth Stack is a collection of libraries that handles
bluetooth for Windows.
Improper handling of user input allows attackers to cause a Blue screen in
Microsoft Windows using the Toshiba Bluetooth stack.
DETAILS
Vulnerable Systems:
* Toshiba Bluetooth Stack for Windows version 4.0.23 and prior
Attackers are able to remotely cause a critical System Exception on
Windows XP hosts that results in an immediate reboot of the system (Blue
Screen of Death). The crash is triggered through the host's Bluetooth
interface by an attack that has been introduced under the name
<http://trifinite.org/trifinite_stuff_bluesmack.html> BlueSmack.
By sending large payloads with L2CAP Echo Requests, data is written to
non-paged memory areas. The driver causing this behavior is TOSRFBD.SYS.
In order to perform the attack, the attackers need to be in physical
proximity of the device. Depending on the Bluetooth device class,
Bluetooth Wireless Technology typically covers a range 10 meters. This
range can be extended to distances of up to one mile by using directional
antennas that are connected to the attacker's equipment.
Vendor Status:
"At the time of the publication of this advisory (20th of June 2006), the
vendor had more than four months for resolving the issue and did not
succeed. They have declined to comment on our submission. In the process
of disclosure, Microsoft and the Bluetooth SIG have also been informed
about the issue in April 2006. At the time of writing this advisory, there
is no version of the enhanced data rate (EDR) capable Toshiba Bluetooth
Stack for Windows that is secure against the vulnerability described
above. The latest version of the stack which has been released in May 2006
and does not address this vulnerability either."
Workaround:
As the attacker needs to know the Bluetooth device address of the host a
workaround is to switch the Bluetooth module into invisible mode. This
mode prevents the host from being discovered by attackers and allows
normal operation of Bluetooth devices that are bonded with the host.
Exploitation and Public Announcements Besides the ability to remotely
cause a blue screen, the ability to execute arbitrary code on the accepted
machine cannot be confirmed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:martin@xxxxxxxxxxxxx> Martin
Herfurt.
The original article can be found at:
<http://trifinite.org/trifinite_advisory_toshiba.html>
http://trifinite.org/trifinite_advisory_toshiba.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] lbd - Load Balancing Detector
- Next by Date: [NEWS] Opera Out-of-Bounds Memory Access DoS
- Previous by thread: [TOOL] lbd - Load Balancing Detector
- Next by thread: [NEWS] Opera Out-of-Bounds Memory Access DoS
- Index(es):
Relevant Pages
|
