CVE-2017-13284 : Injection in configuration file

Hey !

Android Bulletin Security of April is now released and I am authorized to talk about my last (and first \o/) CVE I found in the bluedroid Android subsystem.

The vulnerability CVE-2017-13284 affects all versions from 6.0 and is rated as Critical. It is described as following:

In config_set_string of config.cc, it is possible to pair a second BT keyboard without user approval due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70808273.

I am quite surprised by the description done by Google because it is just an example of exploitation and not the origin of the issue.

I would like to add some details about it.

Description

Bluedroid stores associated devices in the file /data/misc/bluedroid/bt_config.conf.
This configuration file has a custom format, similar to “INI” configuration file.

[Section]
key1=val1
key2=val2

Here an extract of bt_config.conf file:

[c4:43:8f:XX:XX:XX]
Timestamp = 1512597555
Name = Device Name
DevClass = 5898764
DevType = 1
AddrType = 0
Manufacturer = 0
LmpVer = 0
LmpSubVer = 0
Service = 0000110a-0000-1000-8000-00805f9b34fb 00001105-0000-1000-8000-00805f9b34fb 00001115-0000-1000-8000-00805f9b34fb 00001116-0000-1000-8000-00805f9b34fb 0000110e-0000-1000-8000-00805f9b34fb 0000112f-0000-1000-8000-00805f9b34fb 00001112-0000-1000-8000-00805f9b34fb 0000111f-0000-1000-8000-00805f9b34fb 00001132-0000-1000-8000-00805f9b34fb 00000000-0000-1000-8000-00805f9b34fb
LinkKeyType = 5
PinLength = 0
LinkKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The issue is that new line character “\n” is not escaped in values when a key is added/edited.

The bug is located in file osi/src/config.cc in function config_set_string
https://android.googlesource.com/platform/system/bt/+/master/osi/src/config.cc#160
It is a simple injection in a configuration file containing information of paired deviced.
The function should escape or remove “\n” character.

This bug is present in all versions using this “.INI” format, since commit https://android.googlesource.com/platform/system/bt/+/d1c453f4f9648bb5eef80df106e79e3f916f301c .
Previous versions using XML format are not vulnerable (XML injection has been tested).

The name of the bluetooth device is user controlled with a length of 248 bytes. It is possible to craft a custom name with “\n” and modify the configuration.

Note that bt_config.conf file is only parsed at bluedroid start-up. After an injection an attacker needs to restart the process (with a crash for instance).

Impacts

To perform this injection, an attacker must spoof the bluetooth MAC address of a paired device. By sending a BNEP, the registed name can by modified with a crafted one and so, modify settings of this paired device or create a new one.

On Android systems, bluetooth association and application accesses are separated. If an attacker adds a new bluetooth device and try to access messages, a permission dialog will be displayed to accept or refuse the request.

When I reported this issue, I gave a PoC developped which adds a bluetooth keyboard and it was automatically accepted as input device (however connection to keyboard is not automatic)

Another interesting scenario could be to change the LinkKey parameter of a privileged device to steal the bluetooth connection.
For instance a multimedia car system could be spoofed to extract contacts and messages data.

Conclusion

This vulnerability is trivial and easy to exploit. I am surprised that nobody discovered it before (since 2014 !).

Unlike previous bluedroid issues, this one is generic and does not need customization. It works on all Android devices  (from version 6.0) !

 

Here a video of the PoC on One Plus 5:
https://drive.google.com/file/d/16cxd0AKK9LXRdw3yq_PiiuVkpRc4qKCG/view

2 Replies to “CVE-2017-13284 : Injection in configuration file”

  1. Nice post!
    Here are my questions!
    1.How can you crash the bluedroid process?
    2.How to inject \n? set the name : test\ntest2 ???but this is not work

    1. Hi !
      1. On OnePlus 5, I have noticed if the name device has a length of MAX size (without \00 at the end), bluedroid process crashed but I did not check why and it was not the case for Samsung S8. Else you need to use another vulnerability to crash the process.

      2. You need a CSR bluetooth dongle. Then you can use the set_bt_name of this exploit https://gist.github.com/jesux/64cf037c55c0d42196762c0ccacc7380 . It uses HCI command to configure the BT adapter and set the name. You also need to use a registered MAC address (by spoofing an associated device for instance)

Leave a Reply

Your email address will not be published. Required fields are marked *