---
Introduction
---
CVE-2024-43096 is a newly discovered vulnerability in the build_read_multi_rsp function implementation of the gatt_sr.cc file, which could potentially lead to remote code execution by attackers without any additional execution privileges required or user interaction needed. In this post, we will discuss this vulnerability in detail, including the code snippet involved, how it can be exploited, and provide links to the original references.
Code Snippet
---
The vulnerability, CVE-2024-43096, is primarily located at the implementation of the build_read_multi_rsp function in the gatt_sr.cc file.
uint8_t *p_rsp = NULL;
uint16_t len = ;
...
...
// calculation of len
...
p_rsp = (uint8_t *)osi_malloc(len);
...
...
for (int i = ; i < num_handles; ++i) {
...
// No Bounds Check on the p_rsp array
memcpy (&p_rsp[cur_offset], p_attr->p_value, p_attr->value_len);
cur_offset += p_attr->value_len;
...
}
As we can see, the code is missing a bounds check for the 'p_rsp' array during a memcpy() operation. This could lead to an out-of-bounds write scenario, which might be leveraged by attackers for executing malicious code remotely.
Exploit Details
---
To exploit this vulnerability, attackers in close proximity could potentially send malicious GATT (Generic Attribute Profile) requests over Bluetooth to a target device. If properly crafted, these requests would cause the system to overwrite parts of the memory, potentially leading to the execution of attacker-controlled code.
Since user interaction is not required, the device could be compromised silently and without the user's knowledge. Additionally, no extra execution privileges are needed, which makes this vulnerability a significant risk for users and devices running affected code.
Original References
---
The vulnerability's details were disclosed in a security advisory available at the following link
- Security Advisory: CVE-2024-43096
The affected source code can be found in the following GitHub repository
- Vulnerable gatt_sr.cc Implementation
Users are urged to apply the relevant patches and recommended security practices to mitigate the risks associated with this vulnerability.
Conclusion
---
In summary, CVE-2024-43096 is a critical vulnerability in the build_read_multi_rsp function of the gatt_sr.cc file, potentially allowing attackers to perform remote code execution via malicious GATT requests. Users should be aware of the risks associated with this vulnerability and apply the appropriate patches or recommended security measures as needed.
Stay tuned for updates on this vulnerability, and remember to always prioritize your device's security by keeping software up-to-date and following best security practices.
Timeline
Published on: 01/21/2025 23:15:13 UTC
Last modified on: 01/22/2025 18:15:19 UTC