CVE CyberSecurity Database News

CVE-2023-21273 - Out-of-Bounds Write in SDP_AddAttribute – How This Bluetooth Vulnerability Enables Remote Code Execution

Poster -

Bluetooth is a technology we use every day, but under the hood, it’s a complex software stack that sometimes hides dangerous vulnerabilities. In this article, we dive into CVE-2023-21273, a critical bug in the way Bluetooth’s Service Discovery Protocol (SDP) handles attributes. If exploited, this weakness could allow someone nearby to run malicious code on your Android device — no permission or user interaction required.

What is CVE-2023-21273?

CVE-2023-21273 is a vulnerability found in the SDP_AddAttribute function of sdp_db.cc, part of Android’s Bluetooth stack (AOSP Bluetooth). Due to a mistake in the way the code checks input lengths, an attacker can overwrite memory outside of a designated buffer. This issue can be triggered remotely by someone in Bluetooth range — so-called “proximal” or “adjacent” attack — with no extra permissions or user help.

No extra permissions needed

Official advisory:  
https://source.android.com/security/bulletin/2023-07-01

The Technical Details

The issue lives in the SDP_AddAttribute function, a piece of code that handles adding a new attribute to an SDP record. The Service Discovery Protocol is used for advertising Bluetooth services.

Here’s the crux: A bad length check allows writing past the end of a memory buffer. An attacker who crafts a malicious SDP packet can trigger this out-of-bounds write. Depending on what data gets overwritten, they might be able to hijack program execution and run arbitrary code.

Let’s look at a pseudocode version

// Simplified demonstration only!
bool SDP_AddAttribute(SDP_RECORD *rec, uint16_t attr_id, uint8_t attr_type, uint32_t len, uint8_t *p_val) {
    ATTRIBUTE *p_attr;

    // ... other checks

    // INCORRECT BOUNDS CHECK
    if (len <= MAX_ATTRIBUTE_LEN) {
        memcpy(p_attr->value, p_val, len);  // No check if 'len' is valid for 'p_attr->value'
    }
    // ...
}

What went wrong?
If MAX_ATTRIBUTE_LEN is not strictly enforced — or is not the true maximum for the buffer — this allows an attacker to send a packet with "len" too big for p_attr->value, and overwrite past the buffer.

Exploit Scenario

1. Attacker gathers info: The attacker is nearby and can reach the target over Bluetooth (in discovery or pairing mode).

2. Sends malicious SDP data: They send a specially crafted SDP packet with an attribute length that tricks the system.

3. Memory overwrite: The code writes data outside its allocated region, corrupting memory structure.

4. Gaining control: With a carefully designed payload, the attacker takes control — possibly jumping to attacker-supplied code.

Diagram

[ Malicious device ] <--Bluetooth packet--> [ Vulnerable Android device ]
      |
[Sends overlong attribute to SDP_AddAttribute]
      |
[Out-of-bounds write triggers]
      |
[Exploit! Remote code executes]

Proof-of-Concept Snippet

Below is an illustrative Python snippet using PyBluez, showing how one might initiate a raw SDP request. NOTE: This is NOT a full exploit, but shows the setup phase.

import bluetooth

target_bd_addr = "XX:XX:XX:XX:XX:XX"  # Target Bluetooth device
service_matches = bluetooth.find_service(address=target_bd_addr)

if len(service_matches) == :
    print("Couldn't find the service.")
    exit()

first_match = service_matches[]
port = first_match["port"]
name = first_match["name"]

print(f"Connecting to \"{name}\" on {target_bd_addr}")

# Normally, one would construct a malformed SDP record here:
# For example, sending an attribute with a longer 'len' than buffer can hold.

# WARNING: Sending malformed packets may break things or violate laws.

Creating a full exploit would require in-depth knowledge of SDP internals and may be illegal without permission.

Android Security Bulletin (July 2023):

https://source.android.com/security/bulletin/2023-07-01

AOSP Bluetooth code:

https://cs.android.com/android/platform/superproject/+/android-13.._r6:packages/modules/Bluetooth/system/stack/sdp/sdp_db.cc

MITRE CVE-ID description:

https://nvd.nist.gov/vuln/detail/CVE-2023-21273

Mitigation & Advice

- Update your device: Always install the latest Android security updates. This bug was patched in July 2023.

Closing Thoughts

CVE-2023-21273 shows that even small logic errors in low-level code can open the door to serious remote attacks. Bluetooth is convenient, but users and developers should stay alert to these risks. Always keep your devices patched!

If you want more technical details or would like to see a deep-dive on how out-of-bounds writes become real-world exploits, let us know in the comments.

Timeline

Published on: 08/14/2023 22:15:12 UTC
Last modified on: 08/18/2023 19:44:13 UTC