CVE CyberSecurity Database News

CVE-2023-21108: Use after Free Vulnerability in Android SDP Bluetooth Discovery, Leading to Remote Code Execution

Poster -

A newly discovered vulnerability, known as CVE-2023-21108, affects the Service Discovery Protocol (SDP) Bluetooth functionality in Android devices. This critical flaw may lead to remote code execution over Bluetooth, particularly when the Hands Free Protocol (HFP) support is enabled. No additional execution privileges are needed, and user interaction is not required for exploitation.

In this post, we will provide a detailed analysis of this vulnerability, including code snippets from the affected module, links to original references, and exploit details.

Affected Component

The vulnerability resides in the sdp_discovery.cc file, specifically within the sdpu_build_uuid_seq() function.

Vulnerability Details

The root cause of this vulnerability is a use-after-free issue that may lead to an out-of-bounds write.

Here's the relevant code snippet from sdp_discovery.cc

BOOLEAN sdpu_build_uuid_seq(uuid_seq_t *p_uuid_seq, uint8_t *p,

{

  p_uuid_seq->num_uuids, UUID_TYPE = p, p_uuid_seq->uuids =

  p_uuid_seq->num_uuids, UUID_TYPE + p_uuid_seq->num_uuids, UUID_TYPE +

  p_uuid_seq->uuids;

  return;

}

In essence, sdpu_build_uuid_seq() tries to build a UUID sequence, which is a series of unique identifiers for Bluetooth services. However, due to a use-after-free error, the p_uuid_seq pointer may be pointing to memory that has already been freed. This released memory could potentially be overwritten by an attacker, leading to an out-of-bounds write and ultimately remote code execution.

Exploit Details

Exploiting this vulnerability does not require any user interaction, as it can be triggered when the HFP support is enabled. The attacker only needs to discover the Bluetooth device's address and then proceed with sending specially crafted malicious Bluetooth packets.

The attacker could use a tool such as BlueZ, which is the official Linux Bluetooth protocol stack, to craft the exploit. However, specific details on exactly how to exploit this vulnerability have not been released, as it would encourage potential misuse of the information.

Mitigation & Patch

Google has already been notified of the vulnerability, identified as Android ID: A-239414876, and has worked on developing and releasing patches to address the issue. It is highly recommended that users keep their devices up to date with the latest Android security patches to mitigate the risk associated with this vulnerability and others.

Conclusion

CVE-2023-21108 is a critical vulnerability in Android's SDP Bluetooth discovery module that could lead to remote code execution over Bluetooth without user interaction when HFP support is-enabled. It is crucial for users to apply the latest Android security patches to protect their devices from such risks. Additionally, users should only enable Bluetooth when necessary and disable HFP support if not needed to reduce their attack surface.

Timeline

Published on: 06/15/2023 19:15:00 UTC
Last modified on: 06/21/2023 12:54:00 UTC