Reproduction of CVE-2019-11516

[wuruoyu]

Hi,

Thank you for providing the script to trigger this vulnerability. I have a little question concerning the reproduction of CVE-2019-11516. Could you help me check if I am doing anything wrong? Or have this CVE been patched on Nexus 5? The following is my setup and procedures:

I use the evaluation board CYW20735 as an attacking platform to attack Nexus 5. The target Nexus 5 is with Android version 6.0.1, Android security patch level October 5, 2016 and kernel version Sep 19 2016. The InternalBlue shows that 113 (0 - 112) slots have been used for patchram in the firmware. I am not sure if it is patched or not.

1. Attach eval board to Linux and load the modified firmware. loadelf projects/CYW20735B1/gen/CVE_2019_11516.patch
2. Keep the Bluetooth setting on Nexus 5 open, which shows the available devices and the paired devices. It is to make sure the Nexus 5 is in inquiry scan mode.
3. Run the provided script for a while: sudo bash projects/CYW20735B1/patch/CVE_2019_11516.sh hci1 BT_ADDR, where BT_ADDR is the MAC address of Nexus 5.
4. L2ping the Nexus 5: sudo l2ping -i hci0 BT_ADDR. I noticed it in the youtube video. I also noticed that l2ping is used twice: ./l2ping is used for the second time. I am wondering if it is a modified version of l2ping.

The nexus 5 does not crash as expected. It would be very great if you could provide some hints. Thank you in advance!

Respectfully, Ruoyu

[bolek42]

Hi Ruoyu,

Thanks for checking out the PoC. The Nexus 5 with your Android Version should be vulnerable. The code in the repository should therefore crash the chip if the exploit runs successfully. I assume that you are using a non-modified version with #define crash_only. For most of the part, your procedure looks good. However, there are some things you can do for troubleshooting:

• In step 1 you will be asked Found nonzero entry point 0x272259. Execute?. Ensure to answer Yes, this will install the required hooks.
• In step 2 ensure that a Bluetooth Classic device shows up called Eval.
• If the device is listed, run info heap verbose in internal blue on the Nexus 5. It should show that the block buffer BLOC[2] @ 0x205E28: 264 10 / 10 2680 @ 0x217CE4 is partially corrupted. Alternatively, you can show the free-list using telescope --length 1 0x00205e38. It should terminate with 0xdeadbee2. This way you can ensure the memory corruption has triggered.
• Crashing the device is the most tricky part and most likely the step, where the demo fails. It is required to have three parallel connections. As we are using one device, it is a race between connection setups and timeouts. You can see in Internalblue when a device connects and disconnect and see if there were three parallel connections at one point in time. If this fails over and over again, you can try to use multiple devices.
• Working from a clean state also helps. So resetting both controllers before attempting the exploit is recommended.

If you still have issues, feel free to ask. If you have Internalblue outputs for both devices, this would be helpful.

Regarding your question about ./l2ping you are right, this was a patched version. However, this should only be relevant if you are using #define bcm4335c0_rce. For the Nexus 5 we have experimented with some payloads and implemented one that does not crash the chip and brings it back to an operational state. It installs a backdoor, that checks the received L2CAP payload for the magic value 0xdeadc0de. If the value is detected, the packet payload is executed. I have added the patched version at here.

best regards and good luck, Jan

[jiska2342]

Hi @wuruoyu,

not sure if this ticket is still relevant. @bolek42 and me just tested the scripts against a few targets (Nexus 5, Samsung Galaxy S8 without security updates) and they are still running. The steps you need to do/confirm are roughly as follows:

• Compile the CYW20735 project
• If you ever touched the board with WICED Studio 6.2, revert it to the hello_sensor default application. You should have patch slots 00-23 in use with this app.
• Attach the board.
• Press the center button (reset) on the board.
• Attach with btattach
• Set the interface up
• Load the patch file for the CVE
• Run the shell script. Do not press enter yet.
• Start the device scan on your traget.
• Once you see Eval in the devices, press Enter.

...hope that helps :)

There has never been a patch for the Nexus 5. The Samsung Galaxy S8 has been patched in fall 2019.

[wuruoyu]

Thank you! I have figured out a way to reproduce this CVE (but actually forgot :p). Thank you for bringing this up and really appreciate your help!