Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: A cavity in Linux Bluetooth? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A cavity in Linux Bluetooth?
Looks like there is an issue with over-filling a cavity (buffer) in the Linux Bluetooth stack's cmtp_recv_interopmsg() function.  At the very least, it's a DoS condition, but it might be possible to leverage into running code using malformed CAPI messages with oversized (1) manu (manufacturer) or (2) serial (serial number) fields.  The issue exists in Linux kernels before 2.4.33.5 and in 2.6.x up to 2.6.19.1.  More information can be found here.
Tom

160 Posts
Dec 19th 2006

Sign Up for Free or Log In to start participating in the conversation!