[VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

Steven M. Christey coley at mitre.org
Tue Oct 17 22:13:15 EDT 2006

** working notes - been a long day and if someone wants to follow
   through, I'd appreciate it **

The SecureWorks advisory speaks of a "flaw" and "memory stack
corruption" but do not refer to this as a buffer overflow.  The
affected driver versions go up to 4.00.35.

They include this as a cross-reference:

  Buffer Overrun in Toshiba Bluetooth Stack for Windows

This document, published in June, only specifies versions up to
4.0.23, and it specifically states that there is a buffer overflow,
and it even lists the attack vectors involving L2CAP Echo Requests.

So - is there one bug or 2?

The Toshiba URL they refer to includes a "PC Bluetooth Stack Security
Patch 2" whose Details document says "Fix L2CAP echo issue" (it also
mentions OBEX directory traversal but that is outside this particular

There's also a "PC Bluetooth Stack" section whose Details document
says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems
to imply that 4.00.36 is also affected, which is inconsistent with the
SecureWorks advisory.


- Steve

More information about the VIM mailing list