Paint it blue Attacking the bluetooth stack

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/publications/paint-it-blue-attacking-the-bluetooth-stack.html
• Blog Title: Paint it blue: Attacking the bluetooth stack
• Suggested Section: Generic Methodologies & Resources > Pentesting Network > Bluetooth (L2CAP/ATT/GATT) Attacks

🎯 Content Summary

What: Deep-dive exploitation of Android’s Fluoride Bluetooth Host stack via CVE-2023-40129, an integer-underflow in the GATT server’s Read Multiple Variable response builder that yields a ~64KB heap overflow. The post shows end-to-end, no-user-interaction RCE against devices using both jemalloc and Scudo, building reliable read/write primitives, bypassing ASLR via callback hijacking, and finally executing shellcode. Includes a minimal PoC trigger and a reusable tooling framew...

🔧 Technical Details

GATT multi-read integer-underflow → overflow (CVE-2023-40129): In variable-length Read Multiple responses, subtracting (total_len - mtu) without accounting for the +2 length field underflows len. Set a small MTU and request enough attributes so len becomes 0xFFFE; the memcpy() copies ~64KB past the buffer.

Unauth + multi-channel via Just Works: Use Just Works pairing to open additional L2CAP channels (e.g., GAP/AVCTP) without UI. Note it’s non‑MITM‑safe (some GATT ops still restricted) and can break existing pairing for the same BDADDR; adequate for exploitation chains needing multiple channels.

ACL congestion to persist controlled allocations: With controller-level flow control (e.g., Cypress vendor HCI), declare ACL congestion so Fluoride queues responses (notably L2CAP signaling CONFIG REJ). These queued messages persist and are attacker-shaped for heap feng shui.🤖 Agent Actions

I analyzed the Synacktiv blog “Paint it blue: Attacking the bluetooth stack”, explored the repository, and identified the best place to incorporate this highly technical Bluetooth/L2CAP/ATT/GATT exploitation content. The pentesting-network section did not yet cover Bluetooth, and the only existing BLE doc lives under todo/radio-hacking (not integrated into the Network methodology), so I added a concise, technical “Bluetooth (L2CAP/ATT/GATT) Attacks” section into the canonical Network Methodology page.

What I added

• A new subsection in src/generic-methodologies-and-resources/pentesting-network/README.md titled “Bluetooth (L2CAP/ATT/GATT) Attacks”

  • Reachability and PSMs in Android Fluoride, and the L2CA_Register2 registration context (where/why services are reachable unauthenticated)
  • BlueBlue tooling (built on BlueBorne L2CAP infra) with a minimal usage snippet
  • Root cause of CVE-2023-40129 (GATT Read Multiple Variable integer-underflow → ~64KB heap overflow), with a compact PoC trigger and an expandable code block for the vulnerable builder function
  • Practical exploitation primitives:
    • ACL congestion and CONFIG REJ spraying for persistent controlled heap allocations
    • ERTM-based persistence and ordering
    • BT_HDR layout, relative read (len) and relative write (offset) primitives
  • ASLR bypass and arbitrary call via libchrome base::Bind callback hijack from AVRCP SDP, using a dispatcher gadget and list_clear() for multi-call (mprotect, then jump)
  • Allocator-specific notes:
    • jemalloc (heap shaping strategy and reader/writer/executor chain)
    • Scudo mixing constraints and the AArch64 pivot gadget
  • Operational notes (Just Works pairing constraints, post-exploitation handler)

• Updated the “## References” section in the same file with:

  • Synacktiv article: https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack
  • BlueBorne L2CAP infra: https://github.com/ArmisSecurity/blueborne/tree/master/l2cap_infra

Files modified

• src/generic-methodologies-and-resources/pentesting-network/README.md
  • Inserted the new “Bluetooth (L2CAP/ATT/GATT) Attacks” section before the Telecom (GTP) subsection
  • Appended two relevant references to the existing “## References” section

Why here

• The Network Methodology is the most discoverable general place for protocol-layer exploitation content like L2CAP/ATT/AVCTP/ERTM primitives and host-stack RCE chains. The blog’s techniques are broadly reusable for Bluetooth stack exploitation on Android and align with “Pentesting Network.”
• I avoided creating a new page to comply with “only one modified file” and to keep Bluetooth attacks in the same top-level methodology used by Wi-Fi and other network protocol exploitation guides.

If you want me to also integrate a cross-link from the existing BLE “todo/radio-hacking” page to this new section, I can do that in a future pass (would require modifying that second file).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/publications/paint-it-blue-attacking-the-bluetooth-stack.html

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Pentesting Network > Bluetooth (L2CAP/ATT/GATT) Attacks".

Repository Maintenance:

• MD Files Formatting: 906 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge