Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Linux kernel, memory corruption via Bluetooth

March 2010 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

A local attacker can create several Bluetooth sockets, in order to generate a denial of service, or possibly to execute code.

- Severity: 2/4
- Creation date: 23/03/2010

DESCRIPTION OF THE VULNERABILITY

The Linux kernel implements various protocols used by Bluetooth:
- L2CAP (Logical Link Control and Adaptation Protocol) : adaptation of application data (segmentation)
- RFCOMM : serial port compatible RS-232
- SCO (Synchronous Connection Oriented) : voice

Information on opened sockets are readable via sysfs (/sys), due to the following functions:
- l2cap_sysfs_show()
- rfcomm_dlc_sysfs_show()
- rfcomm_sock_sysfs_show()
- sco_sysfs_show()

These functions write information in a memory page of size PAGE_SIZE. Each socket requires a few bytes of memory. However, these functions do not check if the maximal size was reached (this situation occurs when there are too many open sockets). The kernel then writes after the end of the page.

A local attacker can therefore create several Bluetooth sockets, in order to generate a denial of service, or possibly to execute code.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/L...




See previous articles

    

See next articles