CVE-2015-8612
published 2016-01-08CVE-2015-8612: The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the…
PriorityP354high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.34%
92.8th percentile
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blueman_project | blueman | <= 2.0 | — |
| blueman_project | blueman | >= 0 < 2.0.3-1 | 2.0.3-1 |
| blueman_project | blueman | >= 0 < 2.0.3-1 | 2.0.3-1 |
| blueman_project | blueman | >= 0 < 2.0.3-1 | 2.0.3-1 |
| blueman_project | blueman | >= 0 < 2.0.3-1 | 2.0.3-1 |
| debian | blueman | < blueman 2.0.3-1 (bookworm) | blueman 2.0.3-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
commanddbus-send --system --print-reply --dest=org.blueman.Mechanism --type=method_call / org.blueman.Mechanism.EnableNetwork 'string:[]' 'string:[]' 'string:<payload>'↗
commanddbus-send --system --print-reply --dest=org.blueman.Mechanism --type=method_call / org.freedesktop.DBus.Introspectable.Introspect↗
- →Monitor D-Bus traffic for calls to org.blueman.Mechanism.EnableNetwork with non-empty or suspicious dhcp_handler (third string argument) — this is the injection point passed to eval() as root. ↗
- →Detect exploitation by checking for the vulnerable eval pattern in the running blueman process: the string 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)' in the D-Bus response indicates a vulnerable target. ↗
- →Alert on execution of hidden (dot-prefixed) random-named executables dropped in /tmp by a non-root user, followed by a D-Bus call to org.blueman.Mechanism.EnableNetwork — this matches the Metasploit exploit's payload delivery pattern. ↗
- →Check for presence of dbus-send invocations targeting org.blueman.Mechanism from unprivileged user sessions as a precursor indicator. ↗
- ·The vulnerability only affects blueman versions prior to 2.0.3; systems running blueman 2.0.3 or later (or 2.1+) are not vulnerable. ↗
- ·Exploitation requires a local session (shell or meterpreter) on the target; this is not a remote vulnerability. ↗
- ·The exploit requires a writable directory (default /tmp) to stage the payload binary. ↗
- ·Fedora 23 ships blueman-2.1-0.3.git7a2e20e.fc23 and is not vulnerable despite the CVE. ↗
CVSS provenance
nvdv3.08.4HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vendor_debian8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2015-8612: blueman - The EnableNetwork method in the Network class in plugins/mechanism/Network.py in...
vendor_debian·2015·CVSS 8.4
CVE-2015-8612 [HIGH] CVE-2015-8612: blueman - The EnableNetwork method in the Network class in plugins/mechanism/Network.py in...
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.
Scope: local
bookworm: resolved (fixed in 2.0.3-1)
bullseye: resolved (fixed in 2.0.3-1)
forky: resolved (fixed in 2.0.3-1)
sid: resolved (fixed in 2.0.3-1)
trixie: resolved (fixed in 2.0.3-1)
OSV
CVE-2015-8612: The EnableNetwork method in the Network class in plugins/mechanism/Network
osv·2016-01-08·CVSS 8.4
CVE-2015-8612 [HIGH] CVE-2015-8612: The EnableNetwork method in the Network class in plugins/mechanism/Network
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.
No detection rules found.
Exploit-DB
blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)
exploitdb·2019-01-16
CVE-2015-8612 blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)
blueman - set_dhcp_handler D-Bus Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'blueman set_dhcp_handler D-Bus Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting a Python
code injection vulnerability in blueman versions prior to 2.0.3.
The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
`set_dhcp_handler` function which uses user input in a call to `eval`,
without sanitization, resulting in arbitrary code execution as root.
This module has been tested successfully with blueman version 1.23
on Debian 8 Jessie (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'the gru
Exploit-DB
FreeBSD - Multiple Vulnerabilities
exploitdb·2015-01-29·CVSS 7.2
CVE-2014-8612 [HIGH] FreeBSD - Multiple Vulnerabilities
FreeBSD - Multiple Vulnerabilities
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
FreeBSD Kernel Multiple Vulnerabilities
1. *Advisory Information*
Title: FreeBSD Kernel Multiple Vulnerabilities
Advisory ID: CORE-2015-0003
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
Date published: 2015-01-27
Date of last update: 2015-01-27
Vendors contacted: FreeBSD
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Unsigned to Signed Conversion Error [CWE-196], Improper Validation of Array Index [CWE-129], Improper Validation of Array Index [CWE-129]
Impact: Code execution, Denial of service
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0998, CVE-2014-8612, CVE-2014-8612
3. *Vulne
Metasploit
blueman set_dhcp_handler D-Bus Privilege Escalation
metasploit
blueman set_dhcp_handler D-Bus Privilege Escalation
blueman set_dhcp_handler D-Bus Privilege Escalation
This module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the `set_dhcp_handler` function which uses user input in a call to `eval`, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).
http://packetstormsecurity.com/files/135047/Slackware-Security-Advisory-blueman-Updates.htmlhttp://www.debian.org/security/2015/dsa-3427http://www.openwall.com/lists/oss-security/2015/12/18/6http://www.openwall.com/lists/oss-security/2015/12/19/1http://www.securityfocus.com/bid/79688http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085https://github.com/blueman-project/blueman/issues/416https://github.com/blueman-project/blueman/releases/tag/2.0.3https://twitter.com/thegrugq/status/677809527882813440https://www.exploit-db.com/exploits/46186/http://packetstormsecurity.com/files/135047/Slackware-Security-Advisory-blueman-Updates.htmlhttp://www.debian.org/security/2015/dsa-3427http://www.openwall.com/lists/oss-security/2015/12/18/6http://www.openwall.com/lists/oss-security/2015/12/19/1http://www.securityfocus.com/bid/79688http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085https://github.com/blueman-project/blueman/issues/416https://github.com/blueman-project/blueman/releases/tag/2.0.3https://twitter.com/thegrugq/status/677809527882813440https://www.exploit-db.com/exploits/46186/
2016-01-08
Published