Microsoft addressed a Remote code execution vulnerability on their Bluetooth service on March 2023 Patch Tuesday.
This vulnerability could allow an unauthorized threat actor to run a certain function on the Windows Bluetooth driver, which could lead to executing arbitrary code on the vulnerable system.
This issue was associated with Bluetooth Low Energy and advertising to provide a brief insight.
According to the reports shared with Cyber Security News, BLE is used to send large amounts of data in short periods using BLE protocols.
On the other hand, Advertising is used by BLE-compatible devices to broadcast data for different purposes, including allowing scanning devices to detect these compatible devices.
This transmission of data is done in three steps with the first one being the advertising host setting up advertising parameters among which one of them is the advertising data.
The second step involves a BLE packet containing this advertising data transferred between the controllers.
Whereas the third one is the receiving sending a HCI event containing advertising data to the host.
Two HCI events, LE Advertising Report and LE Extended Advertising Report, perform the transfer of advertising data to the host.
Windows Bluetooth Stack consists of multiple different drivers, services and user-mode libraries that are quite complex in their architecture.
The advertising data with several pieces of information is received by the BLE-compatible device and is parsed in different places.
There are two functions in this library which play a major role in parsing the advertising data which are, BTHLELib ADValidateEx and BthLeLib ADValidateBasic.
BTHLELib ADValidateEx is the function that external modules call for transforming the advertisement data into a more suitable format.
BthLeLib ADValidateBasic ensures each advertisement section has the correct length and does not extend past the end of the data.
Further, it also counts the total number of sections in the data which BthLELib ADValidateEx then uses to allocate memory for the array of output sections.
This is where the vulnerability lies which is triggered when a 8-bit unsigned integer having more than 255 sections in the data will result in variable overflow.
This will result in out-of-bounds write vulnerability when the data from individual sections is copied into the memory that must belong to the section array.
The execution of this vulnerability with 257 empty section advertisement data is sent to the vulnerable system that will cause the BthLeLib ADValidateBasic, num sections to be equal to 1, and the amount of memory allocated for the sections array will be 0x153 bytes.
This vulnerability is more likely exploitable by threat actors due to several facts like full control of the advertising data that can be used to control the number of sections in data to make the allocation fall into any heap that they want.
Windows Server 2022 Windows 10 version 22H2 Windows 11 version 21H2 Windows 11 version 22H2 Windows 10 version 20H2. Users of these Windows products are recommended to upgrade to their latest version to prevent unauthorized exploitation of this vulnerability by threat actors.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 26 Jun 2024 19:10:18 +0000