According to the reports shared with Cyber Security News, Bluetooth Low Energy (BLE) is used to send large amounts of data in short periods using BLE protocols. On the other hand, advertising is used by BLE-compatible devices to broadcast data for different purposes, including allowing scanning devices to detect these compatible devices.
Advertising information that is broadcasted by devices includes several pieces of information such as the name of the device, ID of the manufacturer, type and capabilities of the device, and indicators that inform the receiving device on the connection possibilities. This transmission of data is done in three steps with the first one being the advertising host setting up advertising parameters among which one of them is the advertising data. The second step involves a BLE packet containing this advertising data transferred between the controllers. Whereas the third one is the receiving sending an HCI (Host Controller Interface) event containing advertising data to the host.
Vulnerability Analysis
Windows Bluetooth Stack consists of multiple different drivers, services, and user-mode libraries that are quite complex in their architecture. However, the advertising data with several pieces of information is received by the BLE-compatible device and is parsed in different places.
For this, Microsoft has implemented a static library that is linked into the modules. There are two functions in this library which play a major role in parsing the advertising data which are, BTHLELibADValidateEx and BthLeLibADValidateBasic. BTHLELib_ADValidateEx is the function that external modules call for transforming the advertisement data into a more suitable format. BthLeLib_ADValidateBasic ensures each advertisement section has the correct length and does not extend past the end of the data.
Further, it also counts the total number of sections in the data which BthLELib_ADValidateEx then uses to allocate memory for the array of output sections. This is where the vulnerability lies which is triggered when an 8-bit unsigned integer having more than 255 sections in the data will result in variable overflow. This eventually leads to a count value lower than the actual number of sections that will also cause the amount of memory allocated for the sections array lower than expected.
This will result in an out-of-bounds write vulnerability when the data from individual sections is copied into the memory that must belong to the section array. The execution of this vulnerability with 257 empty section advertisement data is sent to the vulnerable system that will cause the BthLeLibADValidateBasic, numsections to be equal to 1, and the amount of memory allocated for the sections array will be 0x153 bytes. Further, the 257 iterations will result in a length of the variable larger than the allocated buffer which will be overwritten.
The implications of this Windows Bluetooth Service RCE Vulnerability are significant, as it could potentially allow attackers to execute arbitrary code on affected systems. The complexity of Windows Bluetooth Stack makes it a challenging task to address such vulnerabilities swiftly. However, understanding these vulnerabilities and their mechanisms can help in developing more robust security measures.
In light of these findings, it is crucial for organizations to stay vigilant and keep their systems updated with the latest patches provided by Microsoft. Additionally, participating in webinars and training sessions on API vulnerability scanning for OWASP API Top 10 vulnerabilities can provide valuable insights into protecting against such threats.
