CVE-2017-13284 : Injection in configuration file

Hey !

Android Bulletin Security of April is now released and I am authorized to talk about my last (and first \o/) CVE I found in the bluedroid Android subsystem.

The vulnerability CVE-2017-13284 affects all versions from 6.0 and is rated as Critical. It is described as following:

In config_set_string of, it is possible to pair a second BT keyboard without user approval due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70808273.

I am quite surprised by the description done by Google because it is just an example of exploitation and not the origin of the issue.

I would like to add some details about it.


Bluedroid stores associated devices in the file /data/misc/bluedroid/bt_config.conf.
This configuration file has a custom format, similar to “INI” configuration file.


Here an extract of bt_config.conf file:

Timestamp = 1512597555
Name = Device Name
DevClass = 5898764
DevType = 1
AddrType = 0
Manufacturer = 0
LmpVer = 0
LmpSubVer = 0
Service = 0000110a-0000-1000-8000-00805f9b34fb 00001105-0000-1000-8000-00805f9b34fb 00001115-0000-1000-8000-00805f9b34fb 00001116-0000-1000-8000-00805f9b34fb 0000110e-0000-1000-8000-00805f9b34fb 0000112f-0000-1000-8000-00805f9b34fb 00001112-0000-1000-8000-00805f9b34fb 0000111f-0000-1000-8000-00805f9b34fb 00001132-0000-1000-8000-00805f9b34fb 00000000-0000-1000-8000-00805f9b34fb
LinkKeyType = 5
PinLength = 0

The issue is that new line character “\n” is not escaped in values when a key is added/edited.

The bug is located in file osi/src/ in function config_set_string
It is a simple injection in a configuration file containing information of paired deviced.
The function should escape or remove “\n” character.

This bug is present in all versions using this “.INI” format, since commit .
Previous versions using XML format are not vulnerable (XML injection has been tested).

The name of the bluetooth device is user controlled with a length of 248 bytes. It is possible to craft a custom name with “\n” and modify the configuration.

Note that bt_config.conf file is only parsed at bluedroid start-up. After an injection an attacker needs to restart the process (with a crash for instance).


To perform this injection, an attacker must spoof the bluetooth MAC address of a paired device. By sending a BNEP, the registed name can by modified with a crafted one and so, modify settings of this paired device or create a new one.

On Android systems, bluetooth association and application accesses are separated. If an attacker adds a new bluetooth device and try to access messages, a permission dialog will be displayed to accept or refuse the request.

When I reported this issue, I gave a PoC developped which adds a bluetooth keyboard and it was automatically accepted as input device (however connection to keyboard is not automatic)

Another interesting scenario could be to change the LinkKey parameter of a privileged device to steal the bluetooth connection.
For instance a multimedia car system could be spoofed to extract contacts and messages data.


This vulnerability is trivial and easy to exploit. I am surprised that nobody discovered it before (since 2014 !).

Unlike previous bluedroid issues, this one is generic and does not need customization. It works on all Android devices  (from version 6.0) !


Here a video of the PoC on One Plus 5:

Leave a Reply

Your email address will not be published. Required fields are marked *