ASA-2019-00012 – Linux: Heap address information leak while using L2CAP_GET_CONF_OPT

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00012

Identifier(s)

ASA-2019-00012, CVE-2019-3459

Title

Heap address information leak while using L2CAP_GET_CONF_OPT

Vendor(s)

The Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel since 2.6.12-rc2

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the bluetooth stack.

An attacker with physical access within the range of standard bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.

Technical details

In the function l2cap_get_conf_opt() in l2cap_core.c, which is used to parse configuration elements during an L2cap connection negotiation process there is a dual use for the output parameter ‘val’. If the length of the data is 1, 2 or 4, then the returned value is a value copied from an input buffer (received over BT) and returned by value. If the length is different, the value is returned as a pointer to the buffer by reference. The buffer is from a kernel SKB. Since the length is taken from the same buffer and the buffer is received via BT, the attacker controls whether the val is returned as a pointer or as a value. The val is later used as a value or as a pointer depending on a different field called ‘type’, which is attacker controlled and taken from the same buffer. The ‘val’ output parameter is assumed to match the ‘type’ and is either used by reference or by value accordingly. This assumption is where the bug is. An attacker can send a response where the type is MTU (which uses 2 bytes from ‘val’ by-value), and the length is 3, and so the returned MTU will actually be comprised of the 2 lower bytes of the pointer to the buffer, which will be leaked to the attacker. It is a form of type confusion without having a sophisticated type system.

Credits

Shlomi Oberman, Yuli Shapiro and Karamba Security Ltd. research team

Reference(s)

Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460)
https://seclists.org/oss-sec/2019/q1/58

[PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt
https://lore.kernel.org/linux-bluetooth/20190110062833.GA15047@kroah.com/

CVE-2019-3459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459

CVE-2019-3459
https://nvd.nist.gov/vuln/detail/CVE-2019-3459

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 15, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.