Android Bulletin Security of April is now released and I am authorized to talk about my last (and first \o/) CVE I found in the bluedroid Android subsystem.
The vulnerability CVE-2017-13284 affects all versions from 6.0 and is rated as Critical. It is described as following:
In config_set_string of config.cc, it is possible to pair a second BT keyboard without user approval due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70808273.
I am quite surprised by the description done by Google because it is just an example of exploitation and not the origin of the issue.
I would like to add some details about it.
Bluedroid stores associated devices in the file
This configuration file has a custom format, similar to “INI” configuration file.
[Section] key1=val1 key2=val2
Here an extract of
[c4:43:8f:XX:XX:XX] Timestamp = 1512597555 Name = Device Name DevClass = 5898764 DevType = 1 AddrType = 0 Manufacturer = 0 LmpVer = 0 LmpSubVer = 0 Service = 0000110a-0000-1000-8000-00805f9b34fb 00001105-0000-1000-8000-00805f9b34fb 00001115-0000-1000-8000-00805f9b34fb 00001116-0000-1000-8000-00805f9b34fb 0000110e-0000-1000-8000-00805f9b34fb 0000112f-0000-1000-8000-00805f9b34fb 00001112-0000-1000-8000-00805f9b34fb 0000111f-0000-1000-8000-00805f9b34fb 00001132-0000-1000-8000-00805f9b34fb 00000000-0000-1000-8000-00805f9b34fb LinkKeyType = 5 PinLength = 0 LinkKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The issue is that new line character “\n” is not escaped in values when a key is added/edited.
The bug is located in file
osi/src/config.cc in function
It is a simple injection in a configuration file containing information of paired deviced.
The function should escape or remove “\n” character.
This bug is present in all versions using this “.INI” format, since commit https://android.googlesource.com/platform/system/bt/+/d1c453f4f9648bb5eef80df106e79e3f916f301c .
Previous versions using XML format are not vulnerable (XML injection has been tested).
The name of the bluetooth device is user controlled with a length of 248 bytes. It is possible to craft a custom name with “\n” and modify the configuration.
bt_config.conf file is only parsed at bluedroid start-up. After an injection an attacker needs to restart the process (with a crash for instance).
To perform this injection, an attacker must spoof the bluetooth MAC address of a paired device. By sending a BNEP, the registed name can by modified with a crafted one and so, modify settings of this paired device or create a new one.
On Android systems, bluetooth association and application accesses are separated. If an attacker adds a new bluetooth device and try to access messages, a permission dialog will be displayed to accept or refuse the request.
When I reported this issue, I gave a PoC developped which adds a bluetooth keyboard and it was automatically accepted as input device (however connection to keyboard is not automatic)
Another interesting scenario could be to change the
LinkKey parameter of a privileged device to steal the bluetooth connection.
For instance a multimedia car system could be spoofed to extract contacts and messages data.
This vulnerability is trivial and easy to exploit. I am surprised that nobody discovered it before (since 2014 !).
Unlike previous bluedroid issues, this one is generic and does not need customization. It works on all Android devices (from version 6.0) !
Here a video of the PoC on One Plus 5: