A vulnerability in Android allows remote code execution with Bluetooth enabled

She was recently released the Android February update, in which it is fixed a critical vulnerability (listed as CVE-2020-0022) on the bluetooth stack, which allows you to organize remote code execution by sending a specially crafted Bluetooth package.

The problem was classified as critical since this can be discreetly exploited by an attacker within Bluetooth range and that also this it does not require an interaction with its victim. It is possible that a vulnerability can be created to create worms that chain neighboring devices.

For an attack, it is enough to know the MAC address of the victim's device (no preliminary pairing is required, but Bluetooth must be activated on the device). On some devices, Bluetooth MAC address can be calculated based on Wi-Fi MAC address.

If the vulnerability is successfully exploited, an attacker can execute your code with the rights of a background process that coordinates the operation of Bluetooth on Android. The problem is specific to the Bluetooth stack used in Android (based on the code of the Broadcom's BlueDroid project) and does not appear in the BlueZ stack used in Linux.

Los investigadores who identified the problem were able to prepare a working prototype of the exploit, but the details of the operation will be released later, after the correction reaches most of the users.

It is only known that the vulnerability is present in the package build code and it is caused by an incorrect calculation of the L2CAP packet size (logical link adaptation and control protocol) if the data transmitted by the sender exceeds the expected size.

In Android 8.0 to 9.0, a nearby attacker can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as this communication medium is enabled.

No user interaction is required and only the Bluetooth MAC address of the target devices should be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to the theft of personal data and could be used to spread malware. In Android 10, this vulnerability cannot be exploited for technical reasons and only causes the Bluetooth daemon to crash ”, explain researchers

On Android 8 and 9, the problem can lead to code execution, byor in Android 10 it is limited to collapse of the Bluetooth background process.

Older versions of Android are potentially prone to the problem, but it has not been tested whether this flaw can be successfully exploited.

In addition to the problem noted, in the February Android Security Suite, 26 vulnerabilities were fixed, of which another vulnerability (CVE-2020-0023) was assigned a critical hazard level.

The second vulnerability also affects the Bluetooth stack and is associated with incorrect privilege processing BLUETOOTH_PRIVILEGED in setPhonebookAccessPermission.

Regarding the vulnerabilities marked as dangerous, 7 problems were solved in frameworks and applications, 4 in system components, 2 in the core and 10 in open and proprietary components for Qualcomm chips.

Finally, users are advised to install the firmware update that is deployed. on your devices ASAP and if this is not possible(applies to millions of devices from brands that launch inexpensive devices) that opt for the option to turn off Bluetooth by default (since in principle it does not make sense to have it on at all times besides that by doing this they help to improve the battery life), in addition to that it is also advised that device detection be prohibited and also activate Bluetooth in public places (it is only recommended to do so if absolutely necessary), it is also mentioned that the replacement of wired wireless headphones is recommended.

These recommendations they make as researchers mention that as soon as they are sure that the patches have reached end users, they will publish a whitepaper on this vulnerability, including a description of the exploit and proof-of-concept code.

But as mentioned, many brand devices that do not release any update or that have already had their end of support are potentially vulnerable.

Source: https://insinuator.net


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.