lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 12 Feb 2020 23:09:34 +0100
From: Marcin Kozlowski <marcinguy@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD]
	Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag

OK, I think I got it the condition

Below is Mobile (Android) Bluetooth subsystem log:

02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch reassemble_and_dispatch
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch partial_packet->offset 21 packet->len 683
HCI_ACL_PREAMBLE_SIZE 4
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch projected_offset 700 partial_packet->len 209
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch got packet which would exceed expected length
of 209. Truncating.
02-12 22:33:26.928  2416  2461 W bt_hci_packet_fragmenter:
reassemble_and_dispatch memcpy packet->len 188 packet->offset 4 expr
184
02-12 22:33:26.929  2416  2460 W bt_hci_packet_fragmenter:
fragment_and_dispatch fragment_and_dispatch

Still working on crashing the process, maybe this is due to memory
allocator (possibly jemalloc)

Still waiting for an official Writeup and PoC from Authors .... in the
mean time will publish if I figure it out further here:

https://github.com/marcinguy/CVE-2020-0022/blob/master/README.md

Thanks,




>
> Hi all,
>
> You can read more here, if you didn't hear about it:
>
> https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/
>
> Looking at the patch, when I understood it correctly, it seems all you need to send fragmented GAP ACL L2CAP data over HCI:
>
> https://android.googlesource.com/platform/system/bt/+/3cb7149d8fed2d7d77ceaa95bf845224c4db3baf
>
> Anybody can confirm/deny? Anybody had success on doing it?
>
> Starting to work on PoC/Demo to crate such a packets:
>
> https://stackoverflow.com/questions/60116790/sending-gap-acl-l2cap-data-packets
>
> Don't have a debugable device now though ...
>
> For me crashing would be enough.
>
> If anybody want to help on this, feel free to contact me directly or via the list/SO.
>
> Thanks,
>
>
>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists