CVE-2024-43096 - Bluetooth Vulnerability in build_read_multi_rsp (gatt_sr.cc) Allows Remote Code Execution

In June 2024, a critical Bluetooth vulnerability was identified under CVE-2024-43096. It affects the build_read_multi_rsp function in gatt_sr.cc, component of the Android Bluetooth stack. The issue arises due to a missing bounds check, opening the door for attackers to execute out-of-bounds writes. This bug could allow remote (proximal/adjacent) code execution without any user interaction or additional privileges.

In this article, we'll explain the vulnerability, walk through the affected code, discuss potential exploit paths, and provide original references for further reading.

Vulnerability Details

CVE-2024-43096 specifically impacts the function build_read_multi_rsp in the GATT server implementation. The code fails to properly check whether the response buffer has enough space when handling multiple read requests. This oversight can be abused by a nearby attacker sending crafted Bluetooth GATT multi-read requests.

Let's look at a simplified code excerpt from gatt_sr.cc (the heart of the bug)

// build_read_multi_rsp function snippet
uint8_t* p_rsp = response_buffer;
for (int i = ; i < num_handles; i++) {
    // ... omitted code ...
    memcpy(p_rsp, attr_value, attr_value_len); // No bounds check!
    p_rsp += attr_value_len;
}

The error?
There's no check to ensure that p_rsp doesn't move past the end of response_buffer. So if a remote client requests enough attributes, or tricks the stack into reading a long enough attribute, memory is overwritten. That can corrupt critical data—or worse, allow the attacker to execute their own code.

Before copying data, the code should verify there's enough space left

// Fixed code with bounds checking
if ((p_rsp + attr_value_len) <= (response_buffer + rsp_buffer_size)) {
    memcpy(p_rsp, attr_value, attr_value_len);
    p_rsp += attr_value_len;
} else {
    // Handle error: prevent the out-of-bounds write.
}

How the Exploit Works

1. Proximal attacker (e.g., someone near you at a café) connects to your device via Bluetooth GATT.

This memory corruption can be achieved without user action—even if your phone is locked.

5. With careful exploitation, attacker-controlled data is written to memory. This could potentially result in:

Any custom devices using the same stack

- Some Linux systems with upstreamed code, depending on kernel/stack version

Proof-of-Concept Exploit

Below is a pseudo-Python code demonstrating the general idea—for educational purposes only!

# Requires a BLE library (e.g., pygatt)
# Note: Not a working exploit, but outlines the logic

import pygatt

adapter = pygatt.GATTToolBackend()
adapter.start()

device = adapter.connect('AA:BB:CC:DD:EE:FF')  # Target device

# Prepare a Multi-Read Request with too many handles or large attribute sizes
handles = [x0001] * 100  # Exaggerate the amount

# Typically, you'd have to format your payload according to the Bluetooth spec
# ... send the malicious request to the device

device.char_read_multi(handles)  # Hypothetical function
# Device's buffer gets overflowed

adapter.stop()

With additional work, a skilled attacker could chain this overflow to get arbitrary code execution, for instance, by corrupting a function pointer or return address in memory.

References and More Reading

- CVE-2024-43096 - NVD official entry
- Android Security Bulletin (June 2024)
- Bluetooth SIG Exploit Advisory
- Bluetooth GATT Server Source: AOSP - gatt_sr.cc

Conclusion

CVE-2024-43096 is a clear example of how a simple missing bounds check can have severe real-world consequences—potentially allowing drive-by compromise just via Bluetooth. Patching and awareness are key. Whenever possible, avoid keeping Bluetooth enabled in untrusted environments until your device receives security updates.

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 01/22/2025 18:15:19 UTC