CVE-2023-21085 - Remote Code Execution Vulnerability in nci_snd_set_routing_cmd of nci_hmsgs.cc

A recent vulnerability has been discovered in the Android Open Source Project (AOSP) affecting Android versions 11 through 13, with the potential to provide attackers with remote code execution capabilities. This vulnerability has been assigned the CVE identifier CVE-2023-21085 and is related to an out-of-bounds write issue in the nci_snd_set_routing_cmd function of nci_hmsgs.cc.

In this blog post, we will be analyzing the specifics of this vulnerability, presenting a code snippet to better understand the issue, and discussing the potential exploit that attackers can use to compromise devices running affected Android versions.

Vulnerability Details

The root cause of this vulnerability resides in the nci_snd_set_routing_cmd function from nci_hmsgs.cc. The bounds check is missing, which means an attacker may cause an out-of-bounds write in certain scenarios. This out-of-bounds write can potentially result in remote code execution and is considered highly dangerous.

You can find the original reference for this vulnerability in Android's vulnerability tracker, under the Android ID A-264879662:

- Android Bug Tracker: A-264879662

The Code Snippet

Below is a code snippet that demonstrates the missing bounds check in the nci_snd_set_routing_cmd function, which leads to the said vulnerability:

void nci_snd_set_routing_cmd(uint8_t* p_buffer, uint8_t param_id, uint8_t* p_sub_id) {
  uint8_t* p_len = p_buffer + 1;
  uint8_t* p = p_buffer + 4;

  // ...
  
  UINT16_TO_BE_STREAM(p, param_id);
  UINT8_TO_BE_STREAM(p, *p_sub_id);
  p_sub_id++;

  // Bounds check is missing here

  switch (param_id) {
    case NCI_SET_ROUTING_LISTEN_AID_PARAM_ID:
      // ...
      break;
    case NCI_SET_ROUTING_LISTEN_PROTOCOL_PARAM_ID:
      // ...
      break;
    case NCI_SET_ROUTING_LISTEN_TECH_PARAM_ID:
      // ...
      break;
    default:
      break;
  }
}

Exploitation

An attacker does not require any additional execution privileges to exploit this vulnerability, nor do they need any user interaction. The attacker can exploit this issue by sending malicious payloads in close proximity to the target device, exploiting the bounds write vulnerability, and ultimately altering memory outside the intended buffer.

This can potentially result in remote code execution, allowing an attacker to execute arbitrary code on the target device with no additional privileges needed.

Mitigation

The Android Security Team has released a patch to address this issue in the Android Open Source Project. It is crucial for Android device manufacturers to apply this patch and release updated firmware to their customers. Users should ensure their devices are updated to the latest available Android version and security patches to mitigate this vulnerability.

Conclusion

CVE-2023-21085 is a high-risk security vulnerability in the nci_snd_set_routing_cmd function of nci_hmsgs.cc, affecting Android versions 11 through 13. It is essential for users to update their devices to the latest available Android version and security patches to protect themselves from potential exploits leveraging this vulnerability. Developers should apply the patch provided by the Android Security Team and ensure that their code is regularly audited for potential security issues.

Timeline

Published on: 04/19/2023 20:15:00 UTC
Last modified on: 04/25/2023 22:16:00 UTC