BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Hasnain says:
Great read on understanding some native attack surface and walking through an exploitation chain.
Also shows how coordinating disclosure is still quite hard.
"The path from starting with zero knowledge to uncovering three vulnerabilities in the Bluetooth HCI protocol was strange and unexpected. When I first found the BadVibes vulnerability, I thought it was only triggerable by vulnerable/malicious Bluetooth chips, as the bug seemed too obvious. Since I did not have two programmable devices with Bluetooth 5, I could not verify if receiving such a large advertisement was even possible. Only after comparing the Linux Bluetooth stack with other implementations and reading the specifications, did I come to the conclusion that I had actually discovered my first RCE vulnerability, and I immediately went out to purchase another laptop (surprisingly, there are no trustworthy BT5 dongles on the market). Analyzing the overflow, it was soon clear that an additional information leak vulnerability was needed. Much faster than I thought it would take, I discovered BadChoice after just two days. While trying to trigger it, I uncovered the BadKarma vulnerability which I first deemed to be an unfortunate bug that would prevent the BadChoice vulnerability. It turned out that it was quite easy to bypass and that the bug was in truth yet another high severity security vulnerability."
Posted on 2021-04-08T05:08:05+0000