[NT] Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
------------------------------------------------------------------------


SUMMARY

A flaw exists in the Toshiba Bluetooth wireless device driver, used by
multiple vendors, that allows a remote attacker within wireless range of a
Bluetooth device to perform a denial-of-service (DoS) attack or execute
arbitrary code at the highest privilege level.

DETAILS

Vulnerable Systems:
* Toshiba Bluetooth host stack implementations version 3.x
* Toshiba Bluetooth host stack implementations version 4 through 4.00.35,
including all shipping OEM versions are vulnerable.
* Toshiba Bluetooth stacks running on 64-bit platforms are not
vulnerable.
* Toshiba is the OEM for multiple vendor Bluetooth stacks including, but
not limited to:
o Dell Computers
o Sony Vaio
o ASUS Computers and possibly other brands.

Bluetooth is a standards-based wireless technology used for short-range
data communications between electronic devices. The vulnerable Bluetooth
wireless device drivers are subject to potential attacks through specially
crafted Bluetooth packets. An attacker can potentially take advantage of
these conditions to cause a memory corruption, a system crash, and/or the
execution of arbitrary code at the highest privilege level. An attacker
would need to be within approximately 10 meters of the victim.
Additionally, an attacker would need the Bluetooth address of the victim s
device. Bluetooth addresses are easily enumerated through active scanning
if the device allows discovery.

Detection:
Users of Toshiba s Bluetooth stack are encouraged to check the current
Bluetooth stack version by selecting:
Version 3.x Device Properties , then General
Version 4.x Options , then General , then Details

Toshiba has advised that security patches are normally offered for all
Bluetooth stacks. Please consult the download details document for further
information.

Users of Dell Bluetooth products are encouraged to verify the presence and
version of their Bluetooth stack by double-clicking on the Bluetooth icon
in the system tray to open the Bluetooth client utility
and selecting Help , then About.

Recommendations:
Toshiba has recommended that affected users visit their Bluetooth vendor s
website for an updated Bluetooth stack. If a patch is unavailable, please
visit the Toshiba Bluetooth website, which offers security updates for all
Bluetooth stacks including OEM versions, as well as a Bluetooth Stack
Security Pack at:
<http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php>
http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php

Users of Dell Latitude D820/D620/D420/D520 are asked to verify the version
of their Bluetooth stack using the method described above. If your version
is not 4.00.22(D) SP2 or newer, then it is recommended that users upgrade
to the latest driver versions located at <http://www.support.dell.com/>
http://www.support.dell.com/.

Users of Dell Latitude D810/D610/D410/D510/X1 are asked to verify the
version of their Bluetooth stack using the method described above. If your
version is not 4.00.20(D) SP2 or newer, then it is recommended that users
upgrade to the latest driver versions to be made available by November
4th, 2006 at <http://www.support.dell.com/> http://www.support.dell.com/.

Bluetooth device users should be set to non-discoverable mode during
normal operations to reduce risk from this and other potential future
Bluetooth attacks.

References:

<http://aps.toshiba-tro.de/bluetooth/redirect.php?page=pages/download.php>
Toshiba: Bluetooth Download Page
<http://www.support.dell.com/> Dell Support
<http://trifinite.org/trifinite_advisory_toshiba.html> Buffer Overrun in
Toshiba Bluetooth Stack for Windows


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@xxxxxxxxxxxxxxx>
David Maynor.
The original article can be found at:
<http://www.secureworks.com/press/20061011-dell.html>
http://www.secureworks.com/press/20061011-dell.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages