About the vulnerable source code #20
Comments
|
Hi @cxjcxggg unfortunately not. |
|
Hi @Matheus-Garbelini , sad to know that. I am also interested in zephyr vulnerabilities you found. The zephyr project is open-source, does that mean I can have the source code which triggers the CVEs? |
|
@cxjcxggg yes, for zephyr you can find the specific merges here: |
|
@Matheus-Garbelini , I got it, thanks a lot! |
|
Hi @Matheus-Garbelini , it's me again. I won't open a new issue so that I won't bother you. I am trying to reproduce the invalid channel map vulnerability (CVE-2020-10069) on Zephyr project, it is fixed in zephyr v2.3.0, so I need to use v2.2.0 or v2.2.1. I successfully connected the nrf52840 dongle with the nrf52840 DK via bluetooth using bluetooth peripheral sample in the latest zephyr project. But when I try to build the sample in zephyr v2.2.0, some problems arose because of the different zephyr project version. Therefore, I think I may also need to change the Zephyr SDK's version so that it could work with zephyr v2.2.0. But which one should I use? How can I reproduce the attack? Thank you so much. |
|
Hi, you can try using west to force update everything:
https://boseji.com/docs/zephyr/tipstricks/update-zephyr-sdk/
Otherwise you need to follow the steps pointed by the older documentation
for 2.2.0 here:
https://docs.zephyrproject.org/2.2.0/getting_started/index.html#install-software-development-toolchain
The SDK version seems to be 0.11.2
Also, make sure to get zephyr version before the patch was introduced. They
did a backport to other versions such as 2.2.0, so checkout a zephyr commit
before sweyntooth fixes was introduced for 2.2.0.
The specific commits that fixed sweyntooth can be seen in their disclosure
page for invalid channel map. You can then checkout the previous commit to
that.
Regards.
…On Thu, Mar 25, 2021, 11:58 PM cxjcxggg ***@***.***> wrote:
Hi @Matheus-Garbelini <https://github.com/Matheus-Garbelini> , it's me
again. I won't open a new issue so that I won't bother you. I am trying to
reproduce the invalid channel map vulnerability (CVE-2020-10069) on Zephyr
project, it is fixed in zephyr v2.3.0, so I need to use v2.2.0 or v2.2.1. I
successfully connected the nrf52840 dongle with the nrf52840 DK via
bluetooth using bluetooth peripheral sample in the latest zephyr project.
But when I try to build the sample in zephyr v2.2.0, some problems arose
because of the different sdk version.
[image: 捕获]
<https://user-images.githubusercontent.com/63034168/112502667-3871fc00-8dc5-11eb-813a-2f047d7c025d.PNG>
Therefore, I think I also need to change the Zephyr SDK's version so that
it could work with zephyr v2.2.0. But which one should I use? How can I
reproduce the attack? Thank you so much.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABRKRBE2U5PGVIEBUN24SF3TFNMSPANCNFSM4ZBPP3GA>
.
|
|
Hi @Matheus-Garbelini , thanks for your help. I have addressed the issues about the zephyr project. Then I set the nrf52840 dongle in DFU mode and use command
So I try to manually flash the firmware with the Programmer app in nRF connect for Desktop, but still fails.
Close the Programmer and open the BLE app, but the device can't be opened.
I don't know which step goes wrong. Do I have to use the firmware you provide? I can establish BLE connection with my nrf52840 DK with sniffer hex on nrf52840 dongle. Can I run the |
|
Hi @cxjcxggg I'm not sure what you are trying to do. The sniffer and our attacker firmware are different things. If you see your led blinking green after flashing our firmware than you can run the exploits. Do not try to use it as an sniffer instead. Regards. |
|
Hi @Matheus-Garbelini , sorry for the confuse. I have finally successfully reproduced the vulnerability! Lol!
I always thought that I needed to connect the nrf52840 dongle to the peripheral before running the script. What I was trying to say yesterday is that I couldn't establish the bluetooth connection with the peripheral after flashing the firmware. So I actually got stuck because of misunderstanding about the way to use the script you provide. Anyway, I am so excited. Appreciate your kindness a lot! Regards. |
|
@cxjcxggg good to know. Use it with responsibility 😃 👍 Division by zero is always funny. |
Hi @Matheus-Garbelini , I want to dig a little bit deeper into CVE-2020-13594. I wonder how I can have the source code of the esp32 static Bluetooth library? They seem to be close-source. Did you have the source code during your work?
The text was updated successfully, but these errors were encountered: