Debian Bug report logs - #351881
bluez-hcidump: DoS in hcidump

version graph

Package: bluez-hcidump; Maintainer for bluez-hcidump is Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>; Source for bluez-hcidump is src:bluez.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 8 Feb 2006 08:48:01 UTC

Severity: important

Tags: patch, security

Fixed in version bluez-hcidump/1.30-1

Done: Filippo Giunchedi <filippo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>:
Bug#351881; Package bluez-hcidump. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bluez-hcidump: DoS in hcidump
Date: Wed, 08 Feb 2006 09:36:56 +0100
Package: bluez-hcidump
Severity: important
Tags: security

This was posted to the VulnWatch list, I'm not sure whether it can only be
abused to interfere with the sniffing of Bluetooth traffic or whether more harm
can be done. If it's the former, it's probably harmless, but please check.

Cheers,
        Moritz

[Software affected] hcidump

[Version] 1.29 (may be other)

[Impact] Denial of Service (may be more)

[Credits] Pierre Betouin - pierre.betouin@infratech.fr - Bug found with BSS v0.6 GPL fuzzer (Bluetooh Stack Smasher)

BSS could be downloaded on http://www.secuobs.com/news/05022006-bluetooth10.shtml

[Vendor] was notified

[Original advisory]

http://www.secuobs.com/news/05022006-bluetooth9.shtml#english
http://www.secuobs.com/news/05022006-bluetooth9.shtml#french

[PoC] download it on http://www.secuobs.com/news/05022006-bluetooth8.shtml

[PoC usage]

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13

> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11

< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

[Affected code location] l2cap.c

[Affected code]

while (frm->len >= L2CAP_CMD_HDR_SIZE) {
    if (!p_filter(FILT_L2CAP)) {
        p_indent(level, frm);
        printf("L2CAP(s): ");
    }

    switch (hdr->code) {
    l2cap_cmd_hdr *hdr = frm->ptr;
    frm->ptr += L2CAP_CMD_HDR_SIZE;
    frm->len -= L2CAP_CMD_HDR_SIZE;
    (...)
    default:
        if (p_filter(FILT_L2CAP))
            break;
        printf("code 0x%2.2x ident %d len %d\n",
            hdr->code, hdr->ident, btohs(hdr->len));
            raw_dump(level, frm);
    }
    frm->ptr += btohs(hdr->len);
    frm->len -= btohs(hdr->len);

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>:
Bug#351881; Package bluez-hcidump. Full text and rfc822 format available.

Acknowledgement sent to Filippo Giunchedi <filippo@esaurito.net>:
Extra info received and forwarded to list. Copy sent to Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 351881@bugs.debian.org (full text, mbox):

From: Filippo Giunchedi <filippo@esaurito.net>
To: Moritz Muehlenhoff <jmm@inutil.org>, 351881@bugs.debian.org
Subject: Re: [Pkg-bluetooth-maintainers] Bug#351881: bluez-hcidump: DoS in hcidump
Date: Tue, 14 Feb 2006 00:45:19 +0100
[Message part 1 (text/plain, inline)]
On Wed, Feb 08, 2006 at 09:36:56AM +0100, Moritz Muehlenhoff wrote:
> Package: bluez-hcidump
> Severity: important
> Tags: security
> 
> This was posted to the VulnWatch list, I'm not sure whether it can only be
> abused to interfere with the sniffing of Bluetooth traffic or whether more harm
> can be done. If it's the former, it's probably harmless, but please check.

thanks for reporting this!
I've notified the upstream author, the fix is in CVS and probably a new version
of hcidump will follow soon.
My believing is that this bug can only cause remote crash, thus interfering with
bluetooth sniffing as you said. 

filippo
--
Filippo Giunchedi
PGP key: 0x6B79D401
random quote follows:

If there is any better use for being famous and respected than using
that status to question orthodoxy, I haven't found it yet.
-- Eric S. Raymond
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>:
Bug#351881; Package bluez-hcidump. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 351881@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 351881@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch, CVE
Date: Mon, 20 Feb 2006 16:45:13 +0100
[Message part 1 (text/plain, inline)]
tag 351881 patch
thanks

Hi!

This is the necessary patch:

  http://cvs.sourceforge.net/viewcvs.py/bluez/hcidump/parser/l2cap.c?r1=1.51&r2=1.52&diff_format=u

This has been assigned CVE-2006-0670; please mention this number in
the changelog when you fix this to allow easy tracking.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>:
Bug#351881; Package bluez-hcidump. Full text and rfc822 format available.

Acknowledgement sent to Filippo Giunchedi <filippo@esaurito.net>:
Extra info received and forwarded to list. Copy sent to Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 351881@bugs.debian.org (full text, mbox):

From: Filippo Giunchedi <filippo@esaurito.net>
To: Martin Pitt <mpitt@debian.org>, 351881@bugs.debian.org
Subject: Re: [Pkg-bluetooth-maintainers] Bug#351881: Patch, CVE
Date: Mon, 20 Feb 2006 16:43:10 +0100
On Mon, Feb 20, 2006 at 04:45:13PM +0100, Martin Pitt wrote:
> tag 351881 patch
> thanks
> 
> Hi!

Hi Martin,
> 
> This is the necessary patch:
> 
>   http://cvs.sourceforge.net/viewcvs.py/bluez/hcidump/parser/l2cap.c?r1=1.51&r2=1.52&diff_format=u

thanks for the notice, I already planned to upload bluez-utils 1.30 which fixes
this vulnerability.

> This has been assigned CVE-2006-0670; please mention this number in
> the changelog when you fix this to allow easy tracking.

will do!

filippo



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>:
Bug#351881; Package bluez-hcidump. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 351881@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Filippo Giunchedi <filippo@esaurito.net>
Cc: 351881@bugs.debian.org
Subject: Re: [Pkg-bluetooth-maintainers] Bug#351881: Patch, CVE
Date: Mon, 20 Feb 2006 17:27:15 +0100
[Message part 1 (text/plain, inline)]
Hi Filippo!

Filippo Giunchedi [2006-02-20 16:43 +0100]:
> > This is the necessary patch:
> > 
> >   http://cvs.sourceforge.net/viewcvs.py/bluez/hcidump/parser/l2cap.c?r1=1.51&r2=1.52&diff_format=u
> 
> thanks for the notice, I already planned to upload bluez-utils 1.30 which fixes
> this vulnerability.

Great, thanks. Then the patch makes sense for the Sarge security
update at least.

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Reply sent to Filippo Giunchedi <filippo@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 351881-close@bugs.debian.org (full text, mbox):

From: Filippo Giunchedi <filippo@debian.org>
To: 351881-close@bugs.debian.org
Subject: Bug#351881: fixed in bluez-hcidump 1.30-1
Date: Tue, 21 Feb 2006 13:47:11 -0800
Source: bluez-hcidump
Source-Version: 1.30-1

We believe that the bug you reported is fixed in the latest version of
bluez-hcidump, which is due to be installed in the Debian FTP archive:

bluez-hcidump_1.30-1.diff.gz
  to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1.diff.gz
bluez-hcidump_1.30-1.dsc
  to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1.dsc
bluez-hcidump_1.30-1_powerpc.deb
  to pool/main/b/bluez-hcidump/bluez-hcidump_1.30-1_powerpc.deb
bluez-hcidump_1.30.orig.tar.gz
  to pool/main/b/bluez-hcidump/bluez-hcidump_1.30.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 351881@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Filippo Giunchedi <filippo@debian.org> (supplier of updated bluez-hcidump package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 21 Feb 2006 19:16:39 +0100
Source: bluez-hcidump
Binary: bluez-hcidump
Architecture: source powerpc
Version: 1.30-1
Distribution: unstable
Urgency: low
Maintainer: Debian Bluetooth Maintainers <pkg-bluetooth-maintainers@lists.alioth.debian.org>
Changed-By: Filippo Giunchedi <filippo@debian.org>
Description: 
 bluez-hcidump - Analyses Bluetooth HCI packets
Closes: 351881
Changes: 
 bluez-hcidump (1.30-1) unstable; urgency=low
 .
   * New upstream release, this fixes the remote DoS in l2cap.c CVE-2006-0670
     (Closes: #351881)
Files: 
 7e2999c80e740afeeb9980c45446041f 776 admin extra bluez-hcidump_1.30-1.dsc
 46ac502055ccab1fd6f11cab7187e9c7 136524 admin extra bluez-hcidump_1.30.orig.tar.gz
 d05f7583fc3e6029df25a740e3fa095e 2242 admin extra bluez-hcidump_1.30-1.diff.gz
 192c271fe95413557aa600b2b89f7f0e 86964 admin extra bluez-hcidump_1.30-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD+3S7ABzeamt51AERAqmgAKCm0sOtCIPTebpF/z2/vcZgZum4xACeOuHx
pqCo9stlsxEhT5Sy+YiQnK0=
=HFNL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 18:31:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:29:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.