The gatt protocol has out-of-bounds read that leads to information leakage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bluez Utilities |
Fix Released
|
Unknown
|
|||
bluez (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It seems that this vulnerability was silently fixed in the latest bluez5.8, and the cve number was not assigned.
But this vulnerability now affects the latest ubuntu system
This vulnerability allows an attacker to remotely obtain most of the contents of the heap without authentication.
The vulnerability code is stored in cli_feat_read_cb, this function does not verify the offset parameter
The vulnerability code is as follows
gatt-database.c
1054:static void cli_feat_
unsigned int id, uint16_t offset,
uint8_t opcode, struct bt_att *att,
void *user_data){
...
len = sizeof(
value = len? &state-
done:
gatt_db_
}
len will become very large due to integer overflow, so that a message of mtu (0x90) size will be sent later
The message content is the buffer pointed to by value, which can be most addresses on the heap
poc is very simple, the core is this line of code
memcpy(
0xc stands for read
\x0b\x00 represents the handle of the client feature, which can be obtained through the find info message, which seems to be 0b by default
\x0d\x00 is offset0xd
this vulnerability is serious
I want to apply for a cve number, although this has been silently fixed in the latest version
CVE References
information type: | Private Security → Public Security |
tags: | added: fixed-in-5.56 fixed-upstream |
Changed in bluez (Ubuntu Hirsute): | |
status: | New → Fix Released |
Changed in bluez (Ubuntu Impish): | |
status: | New → Fix Released |
tags: | added: rls-ff-incoming |
Changed in bluez: | |
status: | Unknown → Fix Released |
Thanks for reporting this.
Could you please confirm this is the bug and commit?: /github. com/bluez/ bluez/issues/ 70
https:/
https:/ /git.kernel. org/pub/ scm/bluetooth/ bluez.git/ commit/ src/gatt- database. c?id=3a40bef493 05f8327635b81ac 8be52a3ca063d5a