You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fuzzing gattlib using clang 6.0 with ASAN a stack-based buffer-overflow was observed in gattlib.c and discover.c
Vulnerable code from gattlib.c
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'strncpy(device_address_str, dst, sizeof(device_address_str));
for (i=0; i<strlen(device_address_str); i++) {
if (device_address_str[i] ==':') {
device_address_str[i] ='_';
}
}
Vulnerable code from discover.c
if (argc!=2) {
printf("%s <device_address>\n", argv[0]);
return1;
}
connection=gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW, 0, 0);
if (connection==NULL) {
fprintf(stderr, "Fail to connect to the bluetooth device.\n");
return1;
}
Also, I have figured a simple way to reproduce this rather than using AFL poc in this case.
I have also written a quick MSF module for this specifically the exploit() part
defexploitconnectprint_status("Sending #{payload.encoded.length} byte payload...")# Building the buffer for transmissionbuf="A" * 20buf += [target.ret].pack('V')buf += payload.encodedsock.put(buf)sock.gethandlerend
In addition memory leak was also observed in this case.
Hi Team,
Summary
While fuzzing gattlib using clang 6.0 with ASAN a stack-based buffer-overflow was observed in gattlib.c and discover.c
Vulnerable code from gattlib.c
Vulnerable code from discover.c
Also, I have figured a simple way to reproduce this rather than using AFL poc in this case.
ASAN
I have also written a quick MSF module for this specifically the
exploit()
partIn addition memory leak was also observed in this case.
OR to verify,
Request team to have a look and validate.
The text was updated successfully, but these errors were encountered: