5.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-9804

CVE-2016-9804: In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c"...

In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c" source file. The issue exists because "commands" array is overflowed by supplied parameter due to lack of boundary checks on size of the buffer from frame "frm->ptr" parameter. This issue can be triggered by processing a corrupted dump file and will result in hcidump crash.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-9804

CVE-2016-9804:

5.3

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description and the ASAN report from the spinics.net URL clearly identify the commands_dump function in tools/parser/csr.c as the location of the buffer overflow. The ASAN report provides the exact line of code (memcpy(commands, frm->ptr, frm->len);) and the stack trace at the time of the crash. The commands array is a fixed-size buffer on the stack (64 bytes). The memcpy operation uses frm->len as the size to copy, which comes from potentially malicious input (a corrupted dump file). There is no check to ensure frm->len is not greater than 64, leading directly to the buffer overflow. No commit information was available to confirm the fix, but the evidence from the ASAN report is strong.

The following functions would appear in a stack trace during exploitation, leading up to the vulnerable function:

main (in tools/hcidump.c)
read_dump (in tools/hcidump.c)
parse (in tools/parser/parser.h)
hci_dump (in tools/parser/hci.c)
event_dump (in tools/parser/hci.c)
csr_dump (in tools/parser/csr.c)
bccmd_dump (in tools/parser/csr.c)
pskey_dump (in tools/parser/csr.c) However, the directly vulnerable function where the overflow occurs is commands_dump.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-9804: In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c"...

CVE-2016-9804:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

CVE-2016-9804: In BlueZ 5.42, a buffer overflow was observed in "commands_dump" function in "tools/parser/csr.c"...

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI