Full Disclosure mailing list archives
Re: [FD] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag
From: Marcin Kozlowski <marcinguy () gmail com>
Date: Wed, 12 Feb 2020 23:09:34 +0100
OK, I think I got it the condition Below is Mobile (Android) Bluetooth subsystem log: 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch reassemble_and_dispatch 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch partial_packet->offset 21 packet->len 683 HCI_ACL_PREAMBLE_SIZE 4 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch projected_offset 700 partial_packet->len 209 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating. 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch memcpy packet->len 188 packet->offset 4 expr 184 02-12 22:33:26.929 2416 2460 W bt_hci_packet_fragmenter: fragment_and_dispatch fragment_and_dispatch Still working on crashing the process, maybe this is due to memory allocator (possibly jemalloc) Still waiting for an official Writeup and PoC from Authors .... in the mean time will publish if I figure it out further here: https://github.com/marcinguy/CVE-2020-0022/blob/master/README.md Thanks,
Hi all, You can read more here, if you didn't hear about it: https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/ Looking at the patch, when I understood it correctly, it seems all you need to send fragmented GAP ACL L2CAP data over HCI: https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf Anybody can confirm/deny? Anybody had success on doing it? Starting to work on PoC/Demo to crate such a packets: https://stackoverflow.com/questions/60116790/sending-gap-acl-l2cap-data-packets Don't have a debugable device now though ... For me crashing would be enough. If anybody want to help on this, feel free to contact me directly or via the list/SO. Thanks,
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag Marcin Kozlowski (Feb 11)
- Re: [FD] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag Marcin Kozlowski (Feb 14)