The TOSRFBD.SYS driver for Toshiba Bluetooth Stack 4.00.29 and earlier on Windows allows remote attackers to cause a denial of service (reboot) via a L2CAP echo request that triggers an out-of-bounds memory access, similar to "Ping o' Death" and as demonstrated by BlueSmack. NOTE: this issue was originally reported for 4.00.23.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.vupen.com/english/advisories/2006/2455 | vdb entry vendor advisory |
| http://attrition.org/pipermail/vim/2006-October/001085.html | mailing list |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/27228 | vdb entry |
| http://briankrebswatch.blogspot.com/2006/10/more-on-toshiba-patches.html | |
| http://secunia.com/advisories/20657 | patch vendor advisory third party advisory |
| http://securitytracker.com/id?1016345 | vdb entry |
| http://trifinite.org/trifinite_advisory_toshiba.html | vendor advisory |
| http://www.securityfocus.com/archive/1/437811/100/0/threaded | mailing list |
| http://www.osvdb.org/26686 | vdb entry |
| http://aps.toshiba-tro.de/bluetooth/pages/driverinfo.php?txt=sp2 | |
| http://www.securityfocus.com/bid/18527 | vdb entry exploit |
| http://trifinite.org/blog/archives/2006/06/update_tosiba_a.html |