Presented at
Black Hat Europe 2020 Virtual,
Dec. 10, 2020, 2:20 p.m.
(40 minutes).
In order to control the firmware link manager and baseband controller, Bluetooth stacks usually abstract a set of command interfaces called Host-Controller Interface (HCI). Through these interfaces, the host can access and modify control registers and hardware status on the SoC side. In addition to common inquiry, reset and other basic control functions, HCI mostly allows callers to send vendor-specific commands and events in the form of raw data. These undocumented interfaces further introduce potential attack surfaces to the system.<br />
<br />
Since HCI is open to low-privileged processes, the InfoSec community has always been concerned about the security impact of these interfaces. In recent years, binary auditing and fuzzing against drivers such as IOBluetoothFamily have never stopped. We can also prove this from the output of IDA Pro/Hex-Rays. The routine IOBluetoothHCIUserClient::ValidParameters has expanded from 300 lines of code on macOS High Sierra to more than 3000 lines on macOS Catalina. With the joint efforts of Apple and the security community, hunting for new vulnerabilities is not an easy task.<br />
<br />
This presentation will share more than a dozen IOBluetoothFamily HCI kernel zero-day vulnerabilities, most of which have been hidden in plain sight for a long time. One of them is very similar to the well-known Win32K User Mode Callback vulnerability, this design flaw affects all HCI handlers (more than 200). Furthermore, due to the existence of raw data requests, we can also attack undocumented vendor commands, and I will show an interesting overflow case about Broadcom LE Meta VSC.
Presenters:
-
Yu Wang
- Senior Staff Engineer, Didi Research America
Yu Wang is a senior staff engineer at Didi Research America. He loves everything regarding OS kernel, from kernel architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability hunting and exploitation. He has previously presented on SyScan360 2012/2013, HITCON 2013, Black Hat USA 2014 & 2020, Black Hat ASIA 2016, DEF CON 26 and other conferences.
Links:
Similar Presentations: