** Changed in: bluez
       Status: Unknown => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to bluez in Ubuntu.
https://bugs.launchpad.net/bugs/1926548

Title:
  The gatt protocol has out-of-bounds read that leads to information
  leakage

Status in Bluez Utilities:
  Fix Released
Status in bluez package in Ubuntu:
  Fix Released
Status in bluez source package in Hirsute:
  Fix Released
Status in bluez source package in Impish:
  Fix Released

Bug description:
  I installed the latest bluez 5.53-0ubuntu3 version using apt-get install. It 
seems that this vulnerability was silently fixed in the latest bluez5.8, and 
the cve number was not assigned.
  But this vulnerability now affects the latest ubuntu system
  This vulnerability allows an attacker to remotely obtain most of the contents 
of the heap without authentication.
  The vulnerability code is stored in cli_feat_read_cb, this function does not 
verify the offset parameter
  The vulnerability code is as follows

  gatt-database.c

  1054:static void cli_feat_read_cb(struct gatt_db_attribute *attrib,
                                        unsigned int id, uint16_t offset,
                                        uint8_t opcode, struct bt_att *att,
                                        void *user_data){
  ...
  len = sizeof(state->cli_feat)-offset;
  value = len? &state->cli_feat[offset]: NULL;

  done:
  gatt_db_attribute_read_result(attrib, id, ecode, value, len);

  
  }
  len will become very large due to integer overflow, so that a message of mtu 
(0x90) size will be sent later
  The message content is the buffer pointed to by value, which can be most 
addresses on the heap

  poc is very simple, the core is this line of code

      memcpy(&buf[0],"\x0c\x0b\x00\x0d\x00",5);

  0xc stands for read
  \x0b\x00 represents the handle of the client feature, which can be obtained 
through the find info message, which seems to be 0b by default
  \x0d\x00 is offset0xd

  
  this vulnerability is serious
  I want to apply for a cve number, although this has been silently fixed in 
the latest version

To manage notifications about this bug go to:
https://bugs.launchpad.net/bluez/+bug/1926548/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to