[VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability

Steven M. Christey coley at mitre.org
Tue Oct 17 22:13:15 EDT 2006



** working notes - been a long day and if someone wants to follow
   through, I'd appreciate it **

The SecureWorks advisory speaks of a "flaw" and "memory stack
corruption" but do not refer to this as a buffer overflow.  The
affected driver versions go up to 4.00.35.

They include this as a cross-reference:

  Buffer Overrun in Toshiba Bluetooth Stack for Windows
  http://trifinite.org/trifinite_advisory_toshiba.html

This document, published in June, only specifies versions up to
4.0.23, and it specifically states that there is a buffer overflow,
and it even lists the attack vectors involving L2CAP Echo Requests.

So - is there one bug or 2?

The Toshiba URL they refer to includes a "PC Bluetooth Stack Security
Patch 2" whose Details document says "Fix L2CAP echo issue" (it also
mentions OBEX directory traversal but that is outside this particular
discussion).

There's also a "PC Bluetooth Stack" section whose Details document
says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems
to imply that 4.00.36 is also affected, which is inconsistent with the
SecureWorks advisory.

Thoughts?

- Steve


More information about the VIM mailing list