Vigil@nce: Linux kernel, denial of service via bluetooth bnep
March 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker with the CAP_NET_ADMIN capability can use an
ioctl on a Bluetooth BNEP socket, in order to read the memory or
to create a denial of service.
– Severity: 1/4
– Creation date: 01/03/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The BNEP (Bluetooth Network Encapsulation Protocol) protocol
encapsulates IP data on L2CAP (Logical Link Control and Adaptation
Protocol).
The bnep_sock_ioctl() function of the net/bluetooth/bnep/sock.c
file implements ioctls on BNEP sockets. However, this function
does not check if the device name ends with a ’\0’ character. The
kernel then continues to copy data coming from its memory, until
it finds a null character or until a segmentation error occurs.
A local attacker with the CAP_NET_ADMIN capability can therefore
use an ioctl on a Bluetooth BNEP socket, in order to read the
memory or to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-bluetooth-bnep-10409