[VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

Steven M. Christey coley at linus.mitre.org
Mon Oct 23 18:04:09 EDT 2006

I've done a little bit more investigation but still don't have 100% proof
of acknowledgement for the latest report.

> The SecureWorks advisory speaks of a "flaw" and "memory stack
> corruption" but do not refer to this as a buffer overflow.  The
> affected driver versions go up to 4.00.35.
> They include this as a cross-reference:
>   Buffer Overrun in Toshiba Bluetooth Stack for Windows
>   http://trifinite.org/trifinite_advisory_toshiba.html
> This document, published in June, only specifies versions up to
> 4.0.23, and it specifically states that there is a buffer overflow,
> and it even lists the attack vectors involving L2CAP Echo Requests.
> So - is there one bug or 2?
> The Toshiba URL they refer to includes a "PC Bluetooth Stack Security
> Patch 2" whose Details document says "Fix L2CAP echo issue" (it also
> mentions OBEX directory traversal but that is outside this particular
> discussion).

I decided to regard this as sufficient proof of vendor acknowledgement for
the June trifinite issue (CVE-2006-3146) since the L2CAP lines up and the
original researchers imply that they contacted Toshiba before disclosure.

The OBEX directory traversal issue is probably KF's report

> There's also a "PC Bluetooth Stack" section whose Details document
> says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems
> to imply that 4.00.36 is also affected, which is inconsistent with the
> SecureWorks advisory.

This inconsistency has not been resolved, although at this point it seems
like they're reporting a different issue than the L2CAP problem, so I'm
treating it differently (CVE-2006-5405).

- Steve

More information about the VIM mailing list