On November 2022, a vulnerability in Android’s Bluetooth stack was published. This issue, labeled CVE-2022-20445, affects Android versions 10 through 13 and could allow attackers to read information beyond intended boundaries, potentially exposing sensitive data. Since it doesn’t require user interaction or extra permissions, it’s considered quite dangerous in practical mobile attack scenarios.
This article will break down what CVE-2022-20445 is, how it can be triggered, and the risks involved. We’ll also walk through the code to understand what went wrong and point you to original resources for deep dives.
> TL;DR:
> CVE-2022-20445 is a Bluetooth vulnerability in Android’s sdp_discovery.cc source file. Improper input validation leads to an out-of-bounds read, possibly exposing private memory over Bluetooth—no user action required.
What’s SDP?
Bluetooth uses the Service Discovery Protocol (SDP) for discovering services on remote devices—like whether a device supports hands-free profiles, object exchange, and more. The SDP involves exchanging response packets between devices.
Where’s the Bug?
The code flaw lies in the process_service_search_rsp function of the file sdp_discovery.cc in the AOSP (Android Open Source Project) Bluetooth stack.
Vulnerable Function Path
system/bt/stack/sdp/sdp_discovery.cc
Root Cause
The vulnerable function fails to properly check bounds when parsing the ServiceSearchResponse packet over Bluetooth. An attacker can craft a maliciously short or malformed packet, making the Android Bluetooth stack read memory outside the expected buffer—an “out of bounds read.”
This could leak memory contents, revealing data like stack cookies, previous connections, or possibly even application data.
No special app permissions or user actions are needed: Simply being within Bluetooth range might be enough.
Let’s look at a simplified version of the problem
// sdp_discovery.cc - simplified example
uint8_t *p_rsp;
uint16_t total_length; // Should be validated
uint16_t num_attr;
// ... (other fields)
void process_service_search_rsp(uint8_t *p, uint16_t len) {
// ...parsing code...
STREAM_TO_UINT16(total_length, p);
// total_length is the number of bytes we expect to parse further.
if (total_length > len) {
// Intended: bail out if response is too big
return; // Some earlier Android versions miss this check!
}
// ...now copy and process total_length bytes from 'p'
memcpy(buffer, p, total_length); // <--- dangerous if total_length > len
// ...parse the buffer
}
The Fix:
The patched version adds stricter bounds checks before copying and parsing packet data.
Attack Scenario
- Attacker (with specialized hardware or purpose-built Bluetooth device) crafts a malformed SDP response.
Attacker sends the malformed packet.
- Android device processes the response, reads past the buffer, and may send back data or leak internal information.
Listen via sniffer or debug the Android device to check for memory leak signs.
Tools:
A valid SDP response looks somewhat like this (simplified for example)
[x02][x00][x05][data1][data2][data3][data4]
But a malicious one might claim a much larger length, causing the parser to read more than what was actually sent:
[x02][x00][xFF][data1]
Here, x00FF is 255 bytes—but only 1 data byte is sent—causing an out-of-bounds read when the parser tries to read or copy 255 bytes.
Real-World Impact
- Remote information disclosure: adjacent attackers can obtain pieces of RAM from the victim device.
Users: Update your device with the latest Android security patch.
- OEMs/Developers: Check the change in the AOSP patch.
References and Further Reading
- Android Security Bulletin (November 2022)
- CVE-2022-20445 at NIST
- AOSP Patch Commit
- BlueZ project (for emulating Bluetooth attacks)
Conclusion
CVE-2022-20445 is a great example of how tiny oversights in low-level code can turn into significant security bugs. The Bluetooth stack is vast and intricate, with huge potential for cross-device attacks. Remember to always keep your device up to date and review Bluetooth permissions and discoverability settings!
Timeline
Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:05:00 UTC