6.2 CVE-2018-9481

 

In bta_hd_set_report_act of bta_hd_act.cc, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote information disclosure in the Bluetooth service with no additional execution privileges needed. User interaction is not needed for exploitation.
https://nvd.nist.gov/vuln/detail/CVE-2018-9481

Categories

CWE-125 : Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer. When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address. Shorthand for "Out of bounds" read Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use a language that provides appropriate memory abstractions. The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to read 2 bytes past the end of a buffer. Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV. Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data. HTML conversion package has a buffer under-read, allowing a crash Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). Chain: series of floating-point precision errors(CWE-1339) in a web browser rendering engine causes out-of-bounds read(CWE-125), giving access to cross-origin data out-of-bounds read due to improper length check packet with large number of specified elements cause out-of-bounds read. packet with large number of specified elements cause out-of-bounds read. out-of-bounds read, resultant from integer underflow large length value causes out-of-bounds read malformed image causes out-of-bounds read OS kernel trusts userland-supplied length value, allowing reading of sensitive information

References


 

CPE

cpe start end


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
540 Overread Buffers
High