CVE-2024-43770 - Out-of-Bounds Write in Android Bluetooth GATT Could Lead to Remote Code Execution

A new security vulnerability, CVE-2024-43770, has been identified in Android's Bluetooth stack, specifically in the GATT (Generic Attribute Profile) server implementation. The issue lies in the gatts_process_find_info function in the source file gatt_sr.cc. Due to a missing bounds check, a malicious device in close proximity can trigger an out-of-bounds write, which may result in remote code execution on the target device without any user interaction or special privileges.

In this post, we'll break down the vulnerability in simple language, see what the code looks like, how an attack could work, and point you to further reading and references.

What Is CVE-2024-43770?

- Vulnerability Type: Out-of-bounds Write / Memory Corruption

Affected Component: Android Bluetooth GATT Server (gatt_sr.cc)

- Impact: Remote (proximity/adjacent) code execution with Bluetooth enabled, no user interaction, no additional privileges.

Where Is the Vulnerability?

The affected code is inside the gatts_process_find_info function of gatt_sr.cc. This function handles processing of the ATT (Attribute Protocol) "Find Information" request, which is part of how Bluetooth LE devices discover each other's services.

A missing bounds check when writing data (such as attribute handles and types) to the response buffer allows a remote attacker to overwrite memory beyond the intended limits.

Below is a simplified and annotated reproduction (not actual code) for educational purposes

void gatts_process_find_info(tGATTS_CB* p_cb, tGATT_TCB* p_tcb, ...) {
    uint8_t* p_rsp = response_buffer;
    int rsp_len = ;
    // Max buffer size is GATT_MAX_ATTR_LEN
    for (/* each attribute found*/) {
        // Write handle
        UINT16_TO_STREAM(p_rsp, attr_handle);

        // Write UUID
        memcpy(p_rsp, attr_uuid, uuid_len);
        p_rsp += uuid_len;

        rsp_len += (2 + uuid_len);
        // MISSING: check if (rsp_len > GATT_MAX_ATTR_LEN)
    }
    // ... send response ...
}

Notice how memcpy() and UINT16_TO_STREAM are used to write into a buffer whose size isn't checked after each write. If too many attributes are found, or an attacker crafts a response that causes overflow, memory beyond response_buffer will be written to. This opens the door to memory corruption and possible code execution.

Initiate a Find Information request to the target device’s GATT server.

2. Manipulate the request (e.g., request an attribute range or service that causes the buffer to overflow during response processing).

Overwrite adjacent memory to control program behavior, potentially leading to remote code execution.

No physical access or user interaction (like pairing dialog) is needed.

Proof-of-Concept (PoC)

Here’s a *conceptual example* of how such an exploit might look in Python using BLE libraries (actual exploit may require advanced fuzzing and custom BLE stacks):

from bluepy.btle import Peripheral

# Spoofed device connects to the target
target_mac = "XX:XX:XX:XX:XX:XX"
peripheral = Peripheral(target_mac)

# Send crafted Find Information Request
# Simulate requesting an attribute range that causes overflow
# (Details omitted: would require precise manipulation based on target's GATT table)

# In a real-world PoC, attacker would use a BLE SDK or raw HCI commands 
# to control the exact layout and trigger the bug.

DISCLAIMER: Exploitation details are simplified. Actual exploitation for code execution is non-trivial and requires deep stack understanding, reverse engineering, and likely a custom attacker firmware.

Mitigation and Recommendations

- Patch: Google has patched this vulnerability in Android June 2024 security bulletin, rated as "Critical".

References and Further Reading

- Google Android Security Bulletin - June 2024
- Bluetooth SIG: GATT Overview
- Commit fixing the bug (when available)
- What is Out-of-Bounds Write? (MITRE)

Conclusion

CVE-2024-43770 is a serious bug that could allow anyone near your device to exploit Android's Bluetooth stack and take control over your phone just by being nearby. If you're responsible for managing Android devices (either personally or for work), patch as soon as security updates are available.

Bluetooth vulnerabilities like this show why timely OS updates are critical. Stay safe, and keep your software current!


*This post is exclusive and explains the issue in clear, simple terms, covering both the technical and practical aspects of the threat.*

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 01/22/2025 18:15:19 UTC