It is just a broken memcpy in the Bluetooth stack. Do we really need to fix that?
Bluetooth is one of the core technologies these days used by billions of devices. Due to the nature of wireless technologies, it is an interesting target for attackers. Recently there was put a lot of effort in reverse engineering Broadcom and Cypress Bluetooth Controllers. Most famous, the InternalBlue tool developed by Dennis Mantz for firmware debugging.
In this talk, I want to take you on a journey that started over a year ago. During my time at SEEMOO, we started emulating the firmware to further understand the internals and interaction with the host system. The emulated firmware can even be attached to a Linux based operating system and fed with random packets. During development, we found two memory corruptions within the Firmware, whereas one was exploited for Remote Code Execution on the Controller (CVE-2019-11516). This bug was in the wild for over 9 years. During the disclosure process, we found that it was fixed internally by the vendor over a year ago. But no patches reached the customers. Only after contacting Google and Apple directly, patches were distributed.
By further fuzzing the firmware, we stumbled across a crash in Android by accident (CVE-2020-0022). After building a full Zero-Click-Exploit we prepared our writeup for responsible disclosure. After some digging, guess what we found hiding in the master branch…