Researchers Released PoC For Windows Bluetooth Service RCE Vulnerability

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Microsoft addressed a Remote code execution vulnerability on their Bluetooth service on March 2023 Patch Tuesday.

This vulnerability could allow an unauthorized threat actor to run a certain function on the Windows Bluetooth driver, which could lead to executing arbitrary code on the vulnerable system. 

However, a threat actor must have access to the same network as the victim system before exploiting this vulnerability. This issue was associated with Bluetooth Low Energy (BLE) and advertising to provide a brief insight.

Windows Bluetooth Service RCE Vulnerability

According to the reports shared with Cyber Security News, BLE is used to send large amounts of data in short periods using BLE protocols.

On the other hand, Advertising is used by BLE-compatible devices to broadcast data for different purposes, including allowing scanning devices to detect these compatible devices.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Advertising information that is broadcasted by devices including several information such as name of the device, ID of the manufacturer, type and capabilities of the device and indicators that inform the receiving device on the connection possibilities. 

This transmission of data is done in three steps with the first one being the advertising host setting up advertising parameters among which one of them is the advertising data.

The second step involves a BLE packet containing this advertising data transferred between the controllers. Whereas the third one is the receiving sending a HCI (Host Controller Interface) event containing advertising data to the host. 

Two HCI events, LE Advertising Report and LE Extended Advertising Report, perform the transfer of advertising data to the host.

LE Advertising Report structure (Source: Ynwarcs)
LE Extended Advertising Report structure (Source: Ynwarcs)

Vulnerability Analysis

Windows Bluetooth Stack consists of multiple different drivers, services and user-mode libraries that are quite complex in their architecture.

However, the advertising data with several pieces of information is received by the BLE-compatible device and is parsed in different places. 

Windows Bluetooth Stack (Source: Ynwarcs)

For this, Microsoft has implemented a static library that is linked into the modules.

There are two functions in this library which play a major role in parsing the advertising data which are, BTHLELib_ADValidateEx and BthLeLib_ADValidateBasic.

BTHLELib_ADValidateEx is the function that external modules call for transforming the advertisement data into a more suitable format.

BthLeLib_ADValidateBasic ensures each advertisement section has the correct length and does not extend past the end of the data.

Further, it also counts the total number of sections in the data which BthLELib_ADValidateEx then uses to allocate memory for the array of output sections.

This is where the vulnerability lies which is triggered when a 8-bit unsigned integer having more than 255 sections in the data will result in variable overflow.

This eventually leads to a count value lower than the actual number of sections that will also cause the amount of memory allocated for the sections array lower than expected. 

This will result in out-of-bounds write vulnerability when the data from individual sections is copied into the memory that must belong to the section array.

The execution of this vulnerability with 257 empty section advertisement data is sent to the vulnerable system that will cause the BthLeLib_ADValidateBasic, num_sections to be equal to 1, and the amount of memory allocated for the sections array will be 0x153 bytes.

Further, the 257 iterations will result in a length of the variable larger than the allocated buffer which will be overwritten at offset 0x153 past the end of the memory.

However, this vulnerability was fixed by exiting BthLeLib_ADValidateBasic with an error if *out_num_sections ever reaches 255 on their Patch Tuesday of March 2023.

Further, a proof-of-concept for this vulnerability has also been published on GitHub.

This vulnerability is more likely exploitable by threat actors due to several facts like full control of the advertising data that can be used to control the number of sections in data to make the allocation fall into any heap that they want.

Products affected by this vulnerability includes,

  • Windows Server 2022
  • Windows Server 2022 (Server Core InstallatioN)
  • Windows 10 version 22H2 (ARM, x64)
  • Windows 11 version 21H2 (ARM, x64)
  • Windows 11 version 22H2 (ARM, x64)
  • Windows 10 version 20H2 (ARM)

Users of these Windows products are recommended to upgrade to their latest version to prevent unauthorized exploitation of this vulnerability by threat actors.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free