'Re: [FD] =?utf-8?q?Critical_Bluetooth_Vulnerability_in_Android_=28CVE?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [FD] =?utf-8?q?Critical_Bluetooth_Vulnerability_in_Android_=28CVE?=
From:       Marcin Kozlowski <marcinguy () gmail ! com>
Date:       2020-02-12 22:09:34
Message-ID: CAP6wrbWYsmNbvC15Hqhf2AeQ3uH5QnJrd0S5sXu_uGeGpe4Opw () mail ! gmail ! com
[Download RAW message or body]

OK, I think I got it the condition

Below is Mobile (Android) Bluetooth subsystem log:

02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch reassemble_and_dispatch
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch partial_packet->offset 21 packet->len 683
HCI_ACL_PREAMBLE_SIZE 4
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch projected_offset 700 partial_packet->len 209
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch got packet which would exceed expected length
of 209. Truncating.
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch memcpy packet->len 188 packet->offset 4 expr
184
02-12 22:33:26.929  2416  2460 W bt_hci_packet_fragmenter:
fragment_and_dispatch fragment_and_dispatch

Still working on crashing the process, maybe this is due to memory
allocator (possibly jemalloc)

Still waiting for an official Writeup and PoC from Authors .... in the
mean time will publish if I figure it out further here:

https://github.com/marcinguy/CVE-2020-0022/blob/master/README.md

Thanks,

> 
> Hi all,
> 
> You can read more here, if you didn't hear about it:
> 
> https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/
> 
> Looking at the patch, when I understood it correctly, it seems all you need to send \
> fragmented GAP ACL L2CAP data over HCI: 
> https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf
>  
> Anybody can confirm/deny? Anybody had success on doing it?
> 
> Starting to work on PoC/Demo to crate such a packets:
> 
> https://stackoverflow.com/questions/60116790/sending-gap-acl-l2cap-data-packets
> 
> Don't have a debugable device now though ...
> 
> For me crashing would be enough.
> 
> If anybody want to help on this, feel free to contact me directly or via the list/SO.
> 
> Thanks,
> 
> 
> 

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread] 