CVE CyberSecurity Database News

CVE-2024-0031 - Out-of-Bounds Write in att_protocol.cc Allows Remote Code Execution with No User Interaction

Poster -

A new critical vulnerability, CVE-2024-0031, has been discovered in the popular Bluetooth stack implementation, specifically within the function attp_build_read_by_type_value_cmd of att_protocol.cc. This flaw is due to improper input validation, which can result in an out-of-bounds (OOB) write. In certain scenarios, an attacker can exploit this vulnerability to remotely execute arbitrary code on the target system without any user interaction or elevated privileges.

In this article, we break down how this vulnerability arises, offer code snippets to demonstrate the issue, and explore how an exploitation might work in the real world.

The vulnerability exists in the function

void attp_build_read_by_type_value_cmd(uint8_t *buf, int buf_len, uint16_t start_handle, uint16_t end_handle, const uint8_t *uuid, int uuid_len)

Located in att_protocol.cc (source code file from various Bluetooth/IoT stacks).

What is going wrong?

Parameter validation is incomplete. The function takes a buffer pointer and a buffer length, then writes data into the buffer—but it does not properly check whether it is writing past the end of the buffer. If an attacker manages to cause this function to write more data than buf_len, the program will overwrite memory outside the allocated buffer — an *out of bounds write*.

A simplified version of the problematic function might look like this

void attp_build_read_by_type_value_cmd(uint8_t *buf, int buf_len, 
    uint16_t start_handle, uint16_t end_handle, 
    const uint8_t *uuid, int uuid_len) 
{
    int offset = ;

    buf[offset++] = SOME_OPCODE;                    // 1 byte
    buf[offset++] = start_handle & xFF;            // 2 bytes
    buf[offset++] = (start_handle >> 8) & xFF;
    buf[offset++] = end_handle & xFF;              // 2 bytes
    buf[offset++] = (end_handle >> 8) & xFF;

    for (int i = ; i < uuid_len; i++) {
        buf[offset++] = uuid[i];                    // (uuid_len) bytes
    }

    // * Missing check: offset should not exceed buf_len *
}

No checks ensure that offset never exceeds buf_len.

What should have happened?

Before each write (especially inside the loop), the function should verify that offset < buf_len. If not, it should abort or limit copying.

How Can It Be Exploited?

- Remote Attack Vector: An attacker controlling the Bluetooth communication channel supplies a *crafted payload* with a large uuid_len, overflowing the buffer.
- No User Interaction Needed: If this function is called in response to receiving Bluetooth packets, the victim doesn’t have to do anything—they just have to be in range of the attacker.
- No Extra Privileges: The vulnerable code runs with Bluetooth process permissions, enough to escalate to code execution in the process context.

Attacker crafts a Bluetooth packet with a maliciously large UUID field.

2. The target device receives the packet, calling attp_build_read_by_type_value_cmd with these attacker-controlled inputs.

The function writes beyond the bounds of the buffer, corrupting adjacent memory.

4. With careful picking of overwrite values, the attacker can control instruction flow—potentially achieving arbitrary code execution.

Real-World Impact

- Exploitable over Bluetooth: Devices with exposed Bluetooth services, such as phones, laptops, headsets, or IoT devices.

No pairing needed: Many implementations parse packets before authentication.

- Possible RCE (Remote Code Execution): An attacker can run code on the target device—a full compromise.

To fix the bug, always enforce buffer boundaries

for (int i = ; i < uuid_len && offset < buf_len; i++) {
    buf[offset++] = uuid[i];
}

Or, better, use safe memory copy functions such as memcpy_s that take the buffer size as an argument and fail gracefully on overflow.

Patch Example

-    for (int i = ; i < uuid_len; i++) {
-        buf[offset++] = uuid[i];
-    }
+    if (offset + uuid_len <= buf_len) {
+        memcpy(buf + offset, uuid, uuid_len);
+        offset += uuid_len;
+    } else {
+        // handle error, abort, or truncate safely
+    }

References

- NIST NVD Record for CVE-2024-0031 (example)
- Common Coding Pitfalls: Buffer Overflows by Microsoft
- Bluetooth Core Specification

Conclusion

*CVE-2024-0031* is a critical vulnerability—a remotely reachable out-of-bounds write in Bluetooth stack code. The bug is dangerous because it takes just a crafted packet from a nearby attacker, no user interaction or privileges needed, to potentially take over vulnerable systems.

If your products use affected Bluetooth stack code, apply vendor patches immediately. If you’re a developer, always validate buffer sizes and never trust input lengths. This basic secure coding principle can prevent many major bugs and keep your users safe.

Timeline

Published on: 02/16/2024 02:15:50 UTC
Last modified on: 08/01/2024 13:45:54 UTC