BleedingTooth: a vulnerability in BlueZ that allows remote code execution

Google engineers released through a post they have identified a serious vulnerability (CVE-2020-12351) in the Bluetooth stack "BlueZ" which is used in Linux and Chrome OS distributions.

The vulnerability, codenamed BleedingTooth, allows an unauthorized attacker to execute your code at the kernel level Linux without user intervention by sending specially crafted Bluetooth packets.

The problem can be exploited by an attacker who is within Bluetooth range and in addition to the fact that a previous pairing is not required between the attacking device and the victim, the only condition is that Bluetooth must be active on the computer.

About vulnerability

For an attack, it is enough to know the MAC address of the victim's device, which can be determined by tracing or, on some devices, calculated based on the Wi-Fi MAC address.

Vulnerability is present in components that process L2CAP packets (Logical Link Control and Adaptation Protocol) at the Linux kernel level.

When sending a specially crafted L2CAP packet with additional data for the A2MP channel, an attacker can overwrite an area out of memory mapped, which can potentially be used to create an exploit to execute arbitrary code at the kernel level.

When specifying a CID other than L2CAP_CID_SIGNALING, L2CAP_CID_CONN_LESS, and L2CAP_CID_LE_SIGNALING in the packet, the 2cap_data_channel () handler is called in BlueZ, which for channels in L2CAP_MODE_ERTM modes match, the skip_CAPter filter and L2_CAPterfilter's checksum is called. (). For packets with CID L2CAP_CID_A2MP, there is no channel, so to create it, the a2mp_channel_create () function is called, which uses the type "struct amp_mgr" when processing the data field chan->, but the type for this field must be "Struct sock".

The vulnerability has emerged since the Linux kernel 4.8 And despite Intel's claims, it has not been addressed in the recently released version 5.9.

Matthew Garrett, a well-known Linux kernel developer who received an award from the Free Software Foundation for his contribution to free software development, claims that the information in Intel's report is incorrect and that kernel 5.9 does not include the proper fixes. to fix the vulnerability, patches were included in the linux-next branch, not the 5.9 branch).

He also expressed outrage at Intel's policy of disclosing vulnerabilities: Linux distribution developers were not notified of the problem prior to the report's release and did not have the opportunity to pre-export patches for their kernel packages.

Additionally, two more vulnerabilities have been reportedly identified in BlueZ:

  • CVE-2020-24490 - HCI parse code buffer overflow (hci_event.c). A remote attacker can achieve buffer overflows and code execution at the Linux kernel level by sending broadcast announcements. The attack is only possible on devices that support Bluetooth 5, when the scan mode is active on them.
  • CVE-2020-12352: Stack information loss during A2MP packet processing. The problem can be exploited by an attacker who knows the MAC address of a device to retrieve data from the kernel stack, which could potentially contain sensitive information such as encryption keys. The stack can also contain pointers, so the issue can be used to determine memory layout and bypass KASLR (address randomization) protection in exploits for other vulnerabilities.

Finally, the publication of an exploit prototype to verify the problem has been announced.

On distributions, the problem remains unpatched (Debian, RHEL (confirmed vulnerability in RHEL versions from 7.4), SUSE, Ubuntu, Fedora).

The Android platform is not affected by the problem, as it uses its own Bluetooth stack, based on code from Broadcom's BlueDroid project.

If you want to know more about this vulnerability, you can consult the details In the following link.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

A comment, leave yours

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Aron said

    The fight against vulnerability will never end, this is an issue that will always be present. Every day hackers will look for more ways to make cyber attacks. Nothing is perfect, there will always be a percentage of vulnerability. That is why every day we have to continue working in the fight against these attacks.