8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
0.02 Low
EPSS
Percentile
87.5%
The other day, and armis burst a series of Bluetooth flaws, no war no perception of the receiving system can be a bit can be hacked, and essentially impact all of the Bluetooth equipment, the persecution of the immeasurable, can be seen here https://www.armis.com/blueborne/ to understand how it guards to be: just the phone turn on the Bluetooth, it can be a long moderation. Nowadays mobile phones are so many, the application of this flaws written worm of the object, then can be again is a mobile version of low with wannacry. We 360Vulpecker Team in the know to these coherent information, Blaster stops the follow-up elucidating it. armis gives them the whitepaper, on the Bluetooth architecture, and the few flaws of elucidating possible to say that the exception is too small, the first film hair. No they did not give out these flaws of the PoC or is the exp, just to give a for Android“BlueBorne detection app", what, then the inverse of this invention is only to detect a system patch date. So I picked up a wave 牙慧, these few flaws then elucidating a bit, then taking poc to write out:
size = sizeof(sdp_pdu_hdr_t) + ntohs(hdr. plen);
buf = malloc(size);
if (! buf)
return TRUE;
len = recv(sk, buf, size, 0); //get the complete data packet
…
handle_request(sk, buf, len);
return TRUE;
}
2, The L2CAP layer of code in the kernel, here I am to Linux 4.2.8 of this code, for example. the l2cap layer is important from /net/bluetooth/l2capcore. c and/net/bluetooth/l2cap_sock. c to achieve. l2cap_core. c implements the L2CAP agreement of important content, l2cap_sock. c via the process of registering sock agreements supplied to this layer for the userspace interface. Strange we care a L2CAP butt by the data packet after the disposal process, the L2CAP data by the HCI layer transmission snapped past, in hci_core. c hci_rx_work function
static void hci_rx_work(struct work_struct *work)
{
while ((skb = skb_dequeue(&hdev->rx_q))) {
/* Send copy to monitor */
hci_send_to_monitor(hdev, skb);
…
switch (bt_cb(skb)->pkt_type) {
case HCI_EVENT_PKT:
BT_DBG(“%s Event packet”, hdev->name);
hci_event_packet(hdev, skb);
break;
case HCI_ACLDATA_PKT:
BT_DBG(“%s ACL data packet”, hdev->name);
hci_acldata_packet(hdev, skb);
8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
0.02 Low
EPSS
Percentile
87.5%