Windows Bluetooth Service RCE Vulnerability
According to the reports shared with Cyber Security News, BLE is used to send large amounts of data in short periods using BLE protocols.
On the other hand, Advertising is used by BLE-compatible devices to broadcast data for different purposes, including allowing scanning devices to detect these compatible devices.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
Advertising information that is broadcasted by devices including several pieces of information such as the name of the device, ID of the manufacturer, type and capabilities of the device, and indicators that inform the receiving device on the connection possibilities.
This transmission of data is done in three steps with the first one being the advertising host setting up advertising parameters among which one of them is the advertising data.
The second step involves a BLE packet containing this advertising data transferred between the controllers. Whereas the third one is the receiving sending an HCI (Host Controller Interface) event containing advertising data to the host.
Two HCI events, LE Advertising Report and LE Extended Advertising Report, perform the transfer of advertising data to the host.
Vulnerability Analysis
Windows Bluetooth Stack consists of multiple different drivers, services, and user-mode libraries that are quite complex in their architecture.
However, the advertising data with several pieces of information is received by the BLE-compatible device and is parsed in different places.
For this, Microsoft has implemented a static library that is linked into the modules.
There are two functions in this library which play a major role in parsing the advertising data which are, BTHLELibADValidateEx and BthLeLibADValidateBasic.
BTHLELib_ADValidateEx is the function that external modules call for transforming the advertisement data into a more suitable format.
BthLeLib_ADValidateBasic ensures each advertisement section has the correct length and does not extend past the end of the data.
Further, it also counts the total number of sections in the data which BthLELib_ADValidateEx then uses to allocate memory for the array of output sections.
This is where the vulnerability lies which is triggered when an 8-bit unsigned integer having more than 255 sections in the data will result in variable overflow.
This eventually leads to a count value lower than the actual number of sections that will also cause the amount of memory allocated for the sections array lower than expected.
This will result in an out-of-bounds write vulnerability when the data from individual sections is copied into the memory that must belong to the section array.
The execution of this vulnerability with 257 empty section advertisement data is sent to the vulnerable system that will cause the BthLeLibADValidateBasic, numsections to be equal to 1, and the amount of memory allocated for the sections array will be 0x153 bytes.
Further, the 257 iterations will result in a length of the variable larger than the allocated buffer which will be overwritten at offset 0x153 past the end of the memory.
However, this vulnerability was fixed by exiting BthLeLibADValidateBasic with an error if *outnum_sections ever reaches 255 on their Patch Tuesday of March 2023.
Further, a proof-of-concept for this vulnerability has also been published on GitHub.
This vulnerability is more likely exploitable by threat actors due to several facts like full control of the advertising data that can be used to control the number of sections in data to make the allocation fall into any heap that they want.
Products affected by this vulnerability include:
- Windows Server 2022
- Windows Server 2022 (Server Core Installation)
- Windows 10 version 22H2 (ARM, x64)
- Windows 11 version 21H2 (ARM, x64)
- Windows 11 version 22H2 (ARM, x64)
- Windows 10 version 20H2 (ARM)
Users of these Windows products are recommended to upgrade to their latest version to prevent unauthorized exploitation of this vulnerability by threat actors.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
