【蓝牙】CVE-2017-13258 CVE-2017-13260 CVE-2017-13261 CVE-2017-13262信息泄露

补丁

• https://android.googlesource.com/platform/system/bt/+/a50e70468c0a8d207e416e273d05a08635bdd45f%5E%21/#F0

从parent版本下载源码

• https://android.googlesource.com/platform/system/bt/+/f0edf6571d2d58e66ee0b100ebe49c585d31489f

BNEP层所处位置

一个BNEP包的Header格式

BNEP Packet:

Value	Parameter Description
0xXX	Based on the BNEP Type

BNEP Type:

Value	Parameter Description
0x00 – 0x7F	Seven bit Bluetooth Network Encapsulation Protocol Type value identifies the type of BNEP header contained in this packet. Values are defined in Table 1 on page 14

Value	BNEP Packet Type
0x00	BNEP_GENERAL_ETHERNET
0x01	BNEP_CONTROL
0x02	BNEP_COMPRESSED_ETHERNET
0x03	BNEP_COMPRESSED_ETHERNET_SOURCE_ONLY
0x04	BNEP_COMPRESSED_ETHERNET_DEST_ONLY
0x05 - 0x7E	Reserved for future use
0x7F	Reserved for 802.2 LLC Packets for IEEE 802.15.1 WG

Extension Flag (E):

Value	Parameter Description
0x00 – 0x01	One bit extension flag that indicates if one or more extension headers follow the BNEP Header before the data payload if the data payload exists. Extension headers are defined in section 3 on page 39. If the extension flag is equal to 0x1 then one or more extension headers follows the BNEP header. If the extension flag is equal to 0x0 then the BNEP payload follows the BNEP header.

当BNEP Type为0x01时，表示BNEP包为BNEP_CONTROL类型，此时包的格式如下

漏洞一：CVE-2017-13258

当数据从L2CAP层传过来的时候，会调用到bnep_data_ind()

static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
    tBNEP_CONN* p_bcb;
    uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
    uint16_t rem_len = p_buf->len;
    uint8_t type, ctrl_type, ext_type = 0;
    bool extension_present, fw_ext_present;
    uint16_t protocol = 0;

    /* Find CCB based on CID */
    p_bcb = bnepu_find_bcb_by_cid(l2cap_cid);
    if (p_bcb == NULL) {
        BNEP_TRACE_WARNING("BNEP - Rcvd L2CAP data, unknown CID: 0x%x", l2cap_cid);
        osi_free(p_buf);
        return;
    }

    /* Get the type and extension bits */
    type = *p++;
    extension_present = type >> 7;
    type &= 0x7f;
    if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) {
        BNEP_TRACE_EVENT("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len, type);
        osi_free(p_buf);
        return;
    }

    rem_len--;

    if ((p_bcb->con_state != BNEP_STATE_CONNECTED) &&
            (!(p_bcb->con_flags & BNEP_FLAGS_CONN_COMPLETED)) &&
            (type != BNEP_FRAME_CONTROL)) {
        BNEP_TRACE_WARNING("BNEP - Ignored L2CAP data while in state: %d, CID: 0x%x", p_bcb->con_state, l2cap_cid);

        if (extension_present) {
            /*
            ** When there is no connection if a data packet is received
            ** with unknown control extension headers then those should be processed
            ** according to complain/ignore law
            */
            uint8_t ext, length;
            uint16_t org_len, new_len;
            /* parse the extension headers and process unknown control headers */
            org_len = rem_len;
            new_len = 0;
            do {
                ext = *p++;
                length = *p++;
                p += length;

                if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
                    bnep_send_command_not_understood(p_bcb, *p);

                    new_len += (length + 2);

                    if (new_len > org_len) break;

            } while (ext & 0x80);
        }
        ...

漏洞二：CVE-2017-13260

漏洞三：CVE-2017-13261

漏洞四：CVE-2017-13262