Luiz Augusto von Dentz

7 exploits Active since Oct 2020
CVE-2022-42896 WRITEUP HIGH WRITEUP
Linux Kernel < 4.9.335 - Use-After-Free in Bluetooth L2CAP Core
There are use-after-free vulnerabilities in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_connect and l2cap_le_connect_req functions which may allow code execution and leaking kernel memory (respectively) remotely via Bluetooth. A remote attacker could execute code leaking kernel memory via Bluetooth if within proximity of the victim. We recommend upgrading past commit  https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4 https://www.google.com/url
CVSS 8.0
CVE-2020-27153 WRITEUP HIGH WRITEUP
BlueZ < 5.55 - Double Free in GATT Service Discovery
In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event.
CVSS 8.6
CVE-2022-0204 WRITEUP HIGH WRITEUP
bluez < 5.63 - Denial of Service via Heap Overflow
A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.
CVSS 8.8
CVE-2022-42895 WRITEUP MEDIUM WRITEUP
Linux Kernel - Information Disclosure via L2CAP Configuration Request Parsing
There is an infoleak vulnerability in the Linux kernel's net/bluetooth/l2cap_core.c's l2cap_parse_conf_req function which can be used to leak kernel pointers remotely. We recommend upgrading past commit  https://github.com/torvalds/linux/commit/b1a2cd50c0357f243b7435a732b4e62ba3157a2e https://www.google.com/url
CVSS 5.1
CVE-2023-50229 WRITEUP HIGH WRITEUP
BlueZ 5.66-5.69 - Heap-based Buffer Overflow in Phone Book Access Profile
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20936.
CVSS 8.0
CVE-2023-50230 WRITEUP HIGH WRITEUP
BlueZ 5.66-5.70 - Heap-based Buffer Overflow in Phone Book Access Profile
BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the handling of the Phone Book Access profile. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20938.
CVSS 8.0
CVE-2023-51779 WRITEUP HIGH WRITEUP
Linux kernel <6.6.8 - Use After Free
bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.
CVSS 7.0