-
Notifications
You must be signed in to change notification settings - Fork 3
Home
"Projet long" TLS-SEC: realization of a tutorial challenge for the Toulouse Hacking Convention. Exploit of the bluetooth vulnerability called Blueborne.
In this project, we are going to reproduce a POC of the bluetooth vulnerability. The main purpuse is to achieve to spread a worm using bluetooth communications using Linux and Android systems (and Windows system if we have enough time). This project is mainly based on the Armis BlueBorne researches (and here the White Paper) and several open source github repositories.
On the Raspbery Pi 3 you will use to attack
sudo apt-get install git vim python-pip libbluetooth-dev bluetooth bluez blueman pi-bluetooth libffi-dev python-dev libssl-dev build-essential
sudo pip install -r requirements.txt
[!] Pwntools does not support 32-bit Python. Use a 64-bit release.
cd <Directory-you-want>
export PYTHONPATH=$PYTHONPATH:$PWD
To run bluetooth from the Raspberry:
sudo systemctl start bluetooth.service
sudo bluetoothctl
We are going to use a NRF24L01+ Transceiver Module (with PA+LNA in order to have a better reach) to receive/emit bluetooth signals, connected to a Raspberry Pi 3 as follows:
- The transceiver we use NRF24L01+ PA+LNA
- Building a Raspberry Pi Gateway
- Step-by-step procedure to connect the NRF24L01+ to the GPIO pins and use the Raspberry as a Serial Gateway
- nRF24 on Raspberry Pi
Connect the following pins (rasp) to the associated pins (nrf24):
| RASP | NRF24L01 |
|---|---|
| 17 3.3V PWR | 2 V+ |
| 18 GPIO24 | 8 IRQ |
| 19 GIO 10-SPI0 MOSI | 6 MOSI |
| 20 GND | 1 GND |
| 21 GPIO 9-SPI0 MISO | 7 MISO |
| 22 GPIO25 | 3 CE |
| 23 GPIO 11-SPI0 SCLK | 5 SCK |
| 24 GPIO 8-SPi0 CS0 | 4 CSN |
We are going to use existing bluetooth sniffer project:
Notice:
In order to find where to copy .lua wireshark plugin, you will see the paths for your system in the Wireshark GUI
Help -> About Wireshark -> Folders -> Personal Plugin
The paths might be different on your system due to different compile time options for different Linux distributions.
Bluetooth scanner for local devices that may be vulnerable to Blueborne exploit
This direcotory contains a general testing framework to send and receive raw l2cap messages (using scapy). It is used to establish L2CAP connections, and allows the ability to control all l2cap messages sent in the process of creating the connection.
Sources:
-
Information leak vulnerability (CVE-2017-1000250) All Linux devices running BlueZ are affected. This vulnerability resides in the SDP server responsible for identifying other services using Bluetooth around the device. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. This can be used by an attacker to expose sensitive data from the Bluetooth processthat may also contain encryption keys of Bluetooth communications. These can be used by the attacker to initiate an attack that very much resembles heartbleed.
-
A stack overflow in BlueZ (CVE-2017-1000251) This vulnerability was found in the Bluetooth stack of the Linux Kernel, which is the very core of the operating system. An internal flaw in the L2CAP (Logical Link Control and Adaptation Protocol) that is used to connect between two devices causes a memory corruption. An attacker can use this memory corruption to gain full control of the device.
-
Info Leak in the Linux Kernel via Bluetooth (CVE-2017-1000410) This vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations.
The following directory contains a PoC code for the Linux-RCE vulnerability (CVE-2017-1000251). The exploits are specifically tailored for specific fw images of two devices: The Amazon Echo and Samsung Gear S3.
Sources:
- ArmisSecurity-BlueBorne-linux_bluez
- White paper
- Blueborne explained at BlackHat EU 2017
- Bluetooth Worm and Linux Exploit Revealed by Armis
- Blueborne CVE-2017-1000251 PoC for linux machines
- Exploit CVE-2017-1000251
- littl tools
-
Information Leak Vulnerability (CVE-2017-0785) The first vulnerability in the Android operating system reveals valuable information which helps the attacker leverage one of the remote code execution vulnerabilities described below. The vulnerability was found in the SDP (Service Discovery Protocol) server, which enables the device to identify other Bluetooth services around it. The flaw allows the attacker to send a set of crafted requests to the server, causing it to disclose memory bits in response. These pieces of information can later be used by the attacker to overcome advanced security measures and take control over the device. This vulnerability can also allow an attacker to leak encryption keys from the targeted device and eavesdrop on Bluetooth communications, in an attack that very much resembles heartbleed.
-
Remote Code Execution Vulnerability #1 (CVE-2017-0781) This vulnerability resides in the Bluetooth Network Encapsulation Protocol (BNEP) service, which enables internet sharing over a Bluetooth connection (tethering). Due to a flaw in the BNEP service, a hacker can trigger a surgical memory corruption, which is easy to exploit and enables him to run code on the device, effectively granting him complete control. Due to lack of proper authorization validations, triggering this vulnerability does not require any user interaction, authentication or pairing, so the targeted user is completely unaware of an ongoing attack.
-
Remote Code Execution vulnerability #2 (CVE-2017-0782) This vulnerability is similar to the previous one, but resides in a higher level of the BNEP service – the Personal Area Networking (PAN) profile – which is responsible for establishing an IP based network connection between two devices. In this case, the memory corruption is larger, but can still be leveraged by an attacker to gain full control over the infected device. Similar to the previous vulnerability, this vulnerability can also be triggered without any user interaction, authentication or pairing.
-
The Bluetooth Pineapple – Man in The Middle attack (CVE-2017-0783) Man-in-The-Middle (MiTM) attacks allow the attacker to intercept and intervene in all data going to or from the targeted device. To create a MiTM attack using Wi-Fi, the attacker requires both special equipment, and a connection request from the targeted device to an open WiFi network. In Bluetooth, the attacker can actively engage his target, using any device with Bluetooth capabilities. The vulnerability resides in the PAN profile of the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through the malicious network interface. This attack does not require any user interaction, authentication or pairing, making it practically invisible.
All Android phones, tablets, and wearables (except those using only Bluetooth Low Energy) of all versions are affected by four vulnerabilities found in the Android operating system, two of which allow remote code execution (CVE-2017-0781 and CVE-2017-0782), one results in information leak (CVE-2017-0785) and the last allows an attacker to perform a Man-in-The-Middle attack (CVE-2017-0783)
Sources:
- ArmisSecurity-BlueBorne-Android
- White paper
- Blueborne - Android Take Over Demo
- BlueBorne explained at Hacktivity 2017
- BlueBorne on Android: Exploiting an RCE Over the Air
- CVE-2017-0785 PoC
- PoC for CVE-2017-0785
- Another CVE-2017-0785 PoC
- Implementation of the CVE-2017-0781 Android heap overflow vulnerability
- CVE-2017-0781 PoC
- The Bluetooth Pineapple #2 – Man in The Middle attack (CVE-2017-8628) This vulnerability is identical to the one found in the Android operating system, and affects both systems since they shared the same principals in implementing some of the Bluetooth protocol. The vulnerability resides in the Bluetooth stack, and enables the attacker to create a malicious network interface on the victim’s device, re-configure IP routing and force the device to transmit all communication through it. This attack does not require any user interaction, authentication or pairing, making it also practically invisible.
All Windows computers since Windows Vista are affected by the “Bluetooth Pineapple” vulnerability which allows an attacker to perform a Man-in-The-Middle attack. Microsoft issued has security patches to all supported Windows versions on July 11, 2017, so we are going to find an older vulnerable image to reproduce the attack
Sources:
Armis Guide: PROTECTING THE ENTERPRISE FROM BLUEBORNE