[SMT-SA-2015-01] Toshiba bluetooth unquoted path vulnerability

Vulnerability Type: Unquoted Search Path

CVE: CVE-2015-0884

Products and affected versions:
Bluetooth Stack for Windows by Toshiba versions 9.10.27(T) and earlier, as well as TOSHIBA Service

Station versions 2.2.13 and earlier, contain a trusted service path privilege escalation vulnerability.

Cert Advisory:
https://www.kb.cert.org/vuls/id/632140


=================
Vulnerability Details
=================

A possible privilege escalation vulnerability exisits in Toshiba "Bluetooth Service" and "Machine
Information" Services. The issue is due to the Services above run at startup with the following path
without quotes:

C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

This could be exploited by a local user in order to execute code with SYSTEM privileges by placing a malicious c:\Program.exe  or
C:\Program Files (x86)\Toshiba\Bluetooth.exe or C:\Program Files (x86)\TOSHIBA\TOSHIBA.exe files.

This occur because Windows differentiate between the program and the arguments by using The SPACE as a delimiter between the program to execute and the arguments.

A generic exploit exists for this type of vulnerability
http://www.rapid7.com/db/modules/exploit/windows/local/trusted_service_path


=========
Solutions
=========

Toshiba recommends upgrading Bluetooth Stack for Windows by Toshiba to version 9.10.32(T) and TOSHIBA Service Station to 2.2.14

http://www.support.toshiba.com/sscontent?contentId=4007185
http://www.support.toshiba.com/sscontent?contentId=4007187

================
Other References
================

https://www.kb.cert.org/vuls/id/632140
http://jvn.jp/vu/JVNVU99205169/index.html
http://cwe.mitre.org/data/definitions/428.html

==============
Credits/Author
==============

Giovanni Delvecchio
SmartNet s.r.l.


==========
Disclaimer
==========
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
o be able to attack or damage. Therefore SmartNet s.r.l shall
not be liable for any direct or indirect damages that might be
caused by using this information.


Comments