Vulnerabilities > CVE-2006-6899 - Configuration vulnerability in Bluez Project Bluez

047910
CVSS 5.4 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
bluez-project
CWE-16
nessus
exploit available

Summary

hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.

Vulnerable Configurations

Part Description Count
OS
Bluez_Project
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionBlueZ 1.x/2.x HIDD Bluetooh HID Command Injection Vulnerability. CVE-2006-6899 . Remote exploit for linux platform
idEDB-ID:29471
last seen2016-02-03
modified2007-11-16
published2007-11-16
reporterCollin Mulliner
sourcehttps://www.exploit-db.com/download/29471/
titleBlueZ 1.x/2.x - HIDD Bluetooh HID Command Injection Vulnerability

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2007-0065.NASL
    descriptionFrom Red Hat Security Advisory 2007:0065 : Updated bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-utils package contains Bluetooth daemons and utilities. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899) Note that Red Hat Enterprise Linux does not come with the Bluetooth HID daemon enabled by default. Users of bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67448
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67448
    titleOracle Linux 4 : bluez-utils (ELSA-2007-0065)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2007:0065 and 
    # Oracle Linux Security Advisory ELSA-2007-0065 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67448);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/25 13:36:06");
    
      script_cve_id("CVE-2006-6899");
      script_xref(name:"RHSA", value:"2007:0065");
    
      script_name(english:"Oracle Linux 4 : bluez-utils (ELSA-2007-0065)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2007:0065 :
    
    Updated bluez-utils packages that fix a security flaw are now
    available for Red Hat Enterprise Linux 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The bluez-utils package contains Bluetooth daemons and utilities.
    
    A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker
    would have been able to inject keyboard and mouse events via a
    Bluetooth connection without any authorization. (CVE-2006-6899)
    
    Note that Red Hat Enterprise Linux does not come with the Bluetooth
    HID daemon enabled by default.
    
    Users of bluez-utils are advised to upgrade to these updated packages,
    which contains a backported patch to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2007-May/000133.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected bluez-utils packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:bluez-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:bluez-utils-cups");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"bluez-utils-2.10-2.2")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"bluez-utils-2.10-2.2")) flag++;
    if (rpm_check(release:"EL4", cpu:"i386", reference:"bluez-utils-cups-2.10-2.2")) flag++;
    if (rpm_check(release:"EL4", cpu:"x86_64", reference:"bluez-utils-cups-2.10-2.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez-utils / bluez-utils-cups");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-413-1.NASL
    descriptionA flaw was discovered in the HID daemon of bluez-utils. A remote attacker could gain control of the mouse and keyboard if hidd was enabled. This does not affect a default Ubuntu installation, since hidd is normally disabled. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28002
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/28002
    titleUbuntu 5.10 : bluez-utils vulnerability (USN-413-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-413-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(28002);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2006-6899");
      script_xref(name:"USN", value:"413-1");
    
      script_name(english:"Ubuntu 5.10 : bluez-utils vulnerability (USN-413-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw was discovered in the HID daemon of bluez-utils. A remote
    attacker could gain control of the mouse and keyboard if hidd was
    enabled. This does not affect a default Ubuntu installation, since
    hidd is normally disabled.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected bluez-cups, bluez-pcmcia-support and / or
    bluez-utils packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:P");
      script_cwe_id(16);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bluez-cups");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bluez-pcmcia-support");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:bluez-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2007/01/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"5.10", pkgname:"bluez-cups", pkgver:"2.20-0ubuntu3.1")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"bluez-pcmcia-support", pkgver:"2.20-0ubuntu3.1")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"bluez-utils", pkgver:"2.20-0ubuntu3.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bluez-cups / bluez-pcmcia-support / bluez-utils");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2007-0065.NASL
    descriptionUpdated bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-utils package contains Bluetooth daemons and utilities. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899) Note that Red Hat Enterprise Linux does not come with the Bluetooth HID daemon enabled by default. Users of bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id67038
    published2013-06-29
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67038
    titleCentOS 4 : bluez-utils (CESA-2007:0065)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2007-014.NASL
    descriptionhidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack. hidd is not enabled by default on Mandriva 2006.0. This update adds the --nocheck option (disabled by default) to the hidd binary, which defaults to rejecting connections from unknown devices unless --nocheck is enabled. The updated packages have been patched to correct this problem
    last seen2020-06-01
    modified2020-06-02
    plugin id24630
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24630
    titleMandrake Linux Security Advisory : bluez-utils (MDKSA-2007:014)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2007-0065.NASL
    descriptionUpdated bluez-utils packages that fix a security flaw are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The bluez-utils package contains Bluetooth daemons and utilities. A flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899) Note that Red Hat Enterprise Linux does not come with the Bluetooth HID daemon enabled by default. Users of bluez-utils are advised to upgrade to these updated packages, which contains a backported patch to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id25238
    published2007-05-16
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/25238
    titleRHEL 4 : bluez-utils (RHSA-2007:0065)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20070514_BLUEZ_UTILS_ON_SL4_X.NASL
    descriptionA flaw was found in the Bluetooth HID daemon (hidd). A remote attacker would have been able to inject keyboard and mouse events via a Bluetooth connection without any authorization. (CVE-2006-6899)
    last seen2020-06-01
    modified2020-06-02
    plugin id60179
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60179
    titleScientific Linux Security Update : bluez-utils on SL4.x i386/x86_64

Oval

accepted2013-04-29T04:03:32.549-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionhidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.
familyunix
idoval:org.mitre.oval:def:10208
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlehidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain control of the (1) Mouse and (2) Keyboard Human Interface Device (HID) via a certain configuration of two HID (PSM) endpoints, operating as a server, aka HidAttack.
version26

Redhat

advisories
bugzilla
id227014
titleCVE-2006-6899 Bluetooth HID key events injection flaw
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentbluez-utils is earlier than 0:2.10-2.2
          ovaloval:com.redhat.rhsa:tst:20070065001
        • commentbluez-utils is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20070065002
      • AND
        • commentbluez-utils-cups is earlier than 0:2.10-2.2
          ovaloval:com.redhat.rhsa:tst:20070065003
        • commentbluez-utils-cups is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20070065004
rhsa
idRHSA-2007:0065
released2008-01-07
severityModerate
titleRHSA-2007:0065: bluez-utils security update (Moderate)
rpms
  • bluez-utils-0:2.10-2.2
  • bluez-utils-cups-0:2.10-2.2
  • bluez-utils-debuginfo-0:2.10-2.2

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 22076 CVE(CAN) ID: CVE-2006-6899 BlueZ是官方的Linux蓝牙协议栈。 BlueZ的人机接口设备(HID)主机未经认证便接受设备连接,如果某些配置的HID(PSM)端点以server模式运行的话,攻击者就可能向受影响系统中加入新的蓝牙设备(如鼠标、键盘),获得完全控制。 受影响系统: BlueZ BlueZ &lt; 2.25 不受影响系统: BlueZ BlueZ 2.25 厂商补丁: BlueZ ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://www.bluez.org/redirect.php?url=http%3A%2F%2Fbluez.sf.net%2Fdownload%2Fbluez-utils-3.8.tar.gz" target="_blank">http://www.bluez.org/redirect.php?url=http%3A%2F%2Fbluez.sf.net%2Fdownload%2Fbluez-utils-3.8.tar.gz</a>
idSSV:1227
last seen2017-11-19
modified2007-01-17
published2007-01-17
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-1227
titleBlueZ HID不安全设备连接漏洞