BlueBorne Bluetooth flaws vulnerability bug depth research and PoC-vulnerability warning-the black bar safety net

The other day, and armis burst a series of Bluetooth flaws, no war no perception of the receiving system can be a bit can be hacked, and essentially impact all of the Bluetooth equipment, the persecution of the immeasurable, can be seen here https://www.armis.com/blueborne/ to understand how it guards to be: just the phone turn on the Bluetooth, it can be a long moderation. Nowadays mobile phones are so many, the application of this flaws written worm of the object, then can be again is a mobile version of low with wannacry. We 360Vulpecker Team in the know to these coherent information, Blaster stops the follow-up elucidating it. armis gives them the whitepaper, on the Bluetooth architecture, and the few flaws of elucidating possible to say that the exception is too small, the first film hair. No they did not give out these flaws of the PoC or is the exp, just to give a for Android“BlueBorne detection app", what, then the inverse of this invention is only to detect a system patch date. So I picked up a wave 牙慧, these few flaws then elucidating a bit, then taking poc to write out:

• CVE-2017-1000250 Linux bluetoothd process information leakage
• CVE-2017-1000251 Linux kernel-stack overflow
• CVE-2017-0785 Android com. android. bluetooth the process of information leakage
• CVE-2017-0781 Android com. android. bluetooth process stack overflow
• CVE-2017-0782 Android com. android. bluetooth process stack overflow
  The above PoC code is in
  https://github.com/marsyy/littl_tools/tree/master/bluetooth
  Because it is because of these few flaws only from the zero beginning to engage the Bluetooth, so it should be some elucidating not in place for the premises, also Please the way the big cattle shows.
  0x01 Bluetooth architecture and code spread
  Here the first should be dishing out armis of the paper in the figure:
  ! [](/Article/UploadPic/2017-9/201792913526931. png? www. myhack58. com)
  Figure on the Bluetooth of each structured stakeholder DESCRIPTION is very detailed, not we’re here temporarily just need to care so a few layers: HCI, L2CAP, AND BNEP, with the SDP. BNEP and SDP is more than the lower offices, the HCI at the bottom, indirect and Bluetooth equipment. And bearing in Bluetooth-do and the underlying equipment between the bridges, also is the L2CAP layer. Each layer has its agreements, the provisions of the data organization of the layout, all the layers of the data packet combined together, is a complete Bluetooth package a SDP packet as an example: the
  ! [](/Article/UploadPic/2017-9/201792913526181. png? www. myhack58. com)
  While the provisions of the agreement of the architecture is the figure stated, but the specific implementation is divisive, Linux with the BlueZ, and now of Android with BlueDroid, but also for both architectures say The code of the specific spread.
  BlueZ
  In Linux, using the BlueZ architecture, by the bluetoothd to supply BNEP,SDP these compare to the lower offices, and the L2CAP layer is on the inner core outside. To deal with BlueZ We of the SDP and L2CAP uncomparable to elucidating the.
  1, to achieve the SDP-do the code in the code directory/src/sdp, this sdp-client. c is it the client, the sdp-server. c is it do end. We’re elucidating the flaws are long flaws, to is results are out in-do-end outside, let’s focus on the Deposit dependents-do end. And do end the focus of the code, it should be Is it butt by the packet disposal process, this process by the sdp-request. c to achieve. When the L2CAP layer SDP data, will trigger the sdp-server. c io_session_event function to obtain the data packet, by the sdp-request. c The handle_request function dispose(how to dispose of, the subsequent flaws in elucidating the time and then tell): a
  static gboolean io_session_event(GIOChannel *chan, GIOCondition cond, gpointer data)
  {
  …
  len = recv(sk, &hdr, sizeof(sdp_pdu_hdr_t), MSG_PEEK); //get the SDP header data, to obtain the SDP data giant
  if (len int) len sizeof(sdp_pdu_hdr_t)) {
  sdp_svcdb_collect_all(sk);
  return FALSE;
  }

size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr. plen);
buf = malloc(size);
if (! buf)
return TRUE;

len = recv(sk, buf, size, 0); //get the complete data packet
…
handle_request(sk, buf, len);

return TRUE;
}
2, The L2CAP layer of code in the kernel, here I am to Linux 4.2.8 of this code, for example. the l2cap layer is important from /net/bluetooth/l2capcore. c and/net/bluetooth/l2cap_sock. c to achieve. l2cap_core. c implements the L2CAP agreement of important content, l2cap_sock. c via the process of registering sock agreements supplied to this layer for the userspace interface. Strange we care a L2CAP butt by the data packet after the disposal process, the L2CAP data by the HCI layer transmission snapped past, in hci_core. c hci_rx_work function
static void hci_rx_work(struct work_struct *work)
{

while ((skb = skb_dequeue(&hdev->rx_q))) {
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);

…
switch (bt_cb(skb)->pkt_type) {
case HCI_EVENT_PKT:
BT_DBG(“%s Event packet”, hdev->name);
hci_event_packet(hdev, skb);
break;

case HCI_ACLDATA_PKT:
BT_DBG(“%s ACL data packet”, hdev->name);
hci_acldata_packet(hdev, skb);

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] next