[SMT-SA-2015-01] Toshiba bluetooth unquoted path vulnerability

Vulnerability Type: Unquoted Search Path

CVE: CVE-2015-0884

Products and affected versions:
Bluetooth Stack for Windows by Toshiba versions 9.10.27(T) and earlier, as well as TOSHIBA Service

Station versions 2.2.13 and earlier, contain a trusted service path privilege escalation vulnerability.

Cert Advisory:

Vulnerability Details

A possible privilege escalation vulnerability exisits in Toshiba "Bluetooth Service" and "Machine
Information" Services. The issue is due to the Services above run at startup with the following path
without quotes:

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

This could be exploited by a local user in order to execute code with SYSTEM privileges by placing a malicious c:\Program.exe  or
C:\Program Files (x86)\Toshiba\Bluetooth.exe or C:\Program Files (x86)\TOSHIBA\TOSHIBA.exe files.

This occur because Windows differentiate between the program and the arguments by using The SPACE as a delimiter between the program to execute and the arguments.

A generic exploit exists for this type of vulnerability


Toshiba recommends upgrading Bluetooth Stack for Windows by Toshiba to version 9.10.32(T) and TOSHIBA Service Station to 2.2.14


Other References



Giovanni Delvecchio
SmartNet s.r.l.

All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
o be able to attack or damage. Therefore SmartNet s.r.l shall
not be liable for any direct or indirect damages that might be
caused by using this information.