Summary: A recently uncovered vulnerability (CVE-2024-43770) in the gatts_process_find_info function of gatt_sr.cc has been discovered, which could potentially lead to remote code execution with no additional execution privileges needed. Moreover, this vulnerability can be exploited without any user interaction, making it particularly dangerous. This post will outline the details of this vulnerability, share code snippets, and link to original references.

Introduction: CVE-2024-43770 is a newly discovered vulnerability that affects the gatts_process_find_info function within the gatt_sr.cc code. The issue at hand involves an out of bounds write, occurring due to a missing bounds check, which could potentially lead to remote code execution. Notably, this vulnerability can be exploited without any user interaction and does not require any additional execution privileges.

The problematic code is found in the gatts_process_find_info function of gatt_sr.cc

void gatts_process_find_info(GATT_TCB* p_tcb, uint16_t op_code, BT_HDR* p_msg) {
  ...
  stream = p;

  /* there is no reason to get a type with length less than 3 bytes
   * if apropriate filters were set; we shouldn't return the type
   * with length less than 3 bytes */
  while (p_rsp->len < p_msg->len && p - stream < op_len - 4) {
    ...

    STREAM_TO_UINT16(handle, p);
    ...
    /* parse service UUID */
    if (op_code == GATT_REQ_FIND_TYPE_VALUE) {
      ...
    }
    // Here is the problematic use of memcpy
    memcpy(p_out, p, elem_len);
    p_out += elem_len;
    p += elem_len;
  }
}

The issue lies in the use of memcpy. The code does not check if elem_len and p_out are within the bounds of the appropriate buffer. As a result, an out of bounds write can occur, leading to unpredictable behavior and potential remote code execution.

Exploit Details

A remote attacker can potentially exploit this vulnerability by sending crafted packets containing specifically sized elements. The lack of bounds checking allows these elements to be written past the end of intended memory locations, potentially leading to corruption of adjacent memory and resulting in code execution. This can be achieved without any user interaction or additional privileges, making it a particularly dangerous vulnerability.

Original References

- The following link provides detailed technical information about the vulnerability, including affected software versions and possible fixes: NVD - CVE-2024-43770
- This link serves as the original source of the vulnerability disclosure and includes in-depth analysis and proof-of-concept code: Project Zero - Out of Bounds Write in gatt_sr.cc

Conclusion

CVE-2024-43770 is a potentially dangerous remote code execution vulnerability caused by a missing bounds check in the gatts_process_find_info function of gatt_sr.cc. The vulnerability requires no user interaction for exploitation and can lead to remote code execution without additional privileges needed. It is essential to apply the necessary patches and updates to affected systems to mitigate the risk posed by this vulnerability.

Timeline

Published on: 01/21/2025 23:15:13 UTC
Last modified on: 01/22/2025 18:15:19 UTC