cbcvebase.
CVE-2015-8612
published 2016-01-08

CVE-2015-8612: The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the…

PriorityP354high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.34%
92.8th percentile
The EnableNetwork method in the Network class in plugins/mechanism/Network.py in Blueman before 2.0.3 allows local users to gain privileges via the dhcp_handler argument.

Affected

6 ranges
VendorProductVersion rangeFixed in
blueman_projectblueman<= 2.0
blueman_projectblueman>= 0 < 2.0.3-12.0.3-1
blueman_projectblueman>= 0 < 2.0.3-12.0.3-1
blueman_projectblueman>= 0 < 2.0.3-12.0.3-1
blueman_projectblueman>= 0 < 2.0.3-12.0.3-1
debianblueman< blueman 2.0.3-1 (bookworm)blueman 2.0.3-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathplugins/mechanism/Network.py
commanddbus-send --system --print-reply --dest=org.blueman.Mechanism --type=method_call / org.blueman.Mechanism.EnableNetwork 'string:[]' 'string:[]' 'string:<payload>'
commanddbus-send --system --print-reply --dest=org.blueman.Mechanism --type=method_call / org.freedesktop.DBus.Introspectable.Introspect
commandos.system("<payload_path>&")
  • Monitor D-Bus traffic for calls to org.blueman.Mechanism.EnableNetwork with non-empty or suspicious dhcp_handler (third string argument) — this is the injection point passed to eval() as root.
  • Detect exploitation by checking for the vulnerable eval pattern in the running blueman process: the string 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)' in the D-Bus response indicates a vulnerable target.
  • Alert on execution of hidden (dot-prefixed) random-named executables dropped in /tmp by a non-root user, followed by a D-Bus call to org.blueman.Mechanism.EnableNetwork — this matches the Metasploit exploit's payload delivery pattern.
  • Check for presence of dbus-send invocations targeting org.blueman.Mechanism from unprivileged user sessions as a precursor indicator.
  • ·The vulnerability only affects blueman versions prior to 2.0.3; systems running blueman 2.0.3 or later (or 2.1+) are not vulnerable.
  • ·Exploitation requires a local session (shell or meterpreter) on the target; this is not a remote vulnerability.
  • ·The exploit requires a writable directory (default /tmp) to stage the payload binary.
  • ·Fedora 23 ships blueman-2.1-0.3.git7a2e20e.fc23 and is not vulnerable despite the CVE.

CVSS provenance

nvdv3.08.4HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv8.4HIGH
vendor_debian8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.