lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAP6wrbWYsmNbvC15Hqhf2AeQ3uH5QnJrd0S5sXu_uGeGpe4Opw@mail.gmail.com> Date: Wed, 12 Feb 2020 23:09:34 +0100 From: Marcin Kozlowski <marcinguy@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag OK, I think I got it the condition Below is Mobile (Android) Bluetooth subsystem log: 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch reassemble_and_dispatch 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch partial_packet->offset 21 packet->len 683 HCI_ACL_PREAMBLE_SIZE 4 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch projected_offset 700 partial_packet->len 209 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch got packet which would exceed expected length of 209. Truncating. 02-12 22:33:26.928 2416 2461 W bt_hci_packet_fragmenter: reassemble_and_dispatch memcpy packet->len 188 packet->offset 4 expr 184 02-12 22:33:26.929 2416 2460 W bt_hci_packet_fragmenter: fragment_and_dispatch fragment_and_dispatch Still working on crashing the process, maybe this is due to memory allocator (possibly jemalloc) Still waiting for an official Writeup and PoC from Authors .... in the mean time will publish if I figure it out further here: https://github.com/marcinguy/CVE-2020-0022/blob/master/README.md Thanks, > > Hi all, > > You can read more here, if you didn't hear about it: > > https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/ > > Looking at the patch, when I understood it correctly, it seems all you need to send fragmented GAP ACL L2CAP data over HCI: > > https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf > > Anybody can confirm/deny? Anybody had success on doing it? > > Starting to work on PoC/Demo to crate such a packets: > > https://stackoverflow.com/questions/60116790/sending-gap-acl-l2cap-data-packets > > Don't have a debugable device now though ... > > For me crashing would be enough. > > If anybody want to help on this, feel free to contact me directly or via the list/SO. > > Thanks, > > > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists