AndroidÀ¶ÑÀ×é¼þ·ì϶Á¬Á¬¿´

°ä²¼¹¦·ò 2018-08-15

1¡¢¸ÅÊö

 

        AndroidϵͳÖÐ £¬À¶ÑÀ×é¼þÄܹ»ËµÊǰ²È«·ì϶³ÁÔÖÇø £¬2017ÄêArmisSecurity°²È«ÍŶӰ䲼BlueBorne×éºÏ·ì϶¹¥»÷Á´Äܹ»Í¨¹ýÀ¶ÑÀ¶ÔÖÇÄÜÊÖ»ú½øÐÐÔ¶³Ì¹¥»÷ £¬·çÏÕÐÔ¼«´ó¡£½ñÄêÈýÔ·ݵÄAndroid°²È«²¼¸æÖÐ £¬ÏµÍ³²ã·ì϶ȫÊý¶¼ÊÇÀ¶ÑÀ×é¼þ·ì϶ £¬×ܹ²10¸ö¡£·ì϶¶àÉ¢²¼ÔÚSDP£¨·þÎñ·¢ÏÖºÍ̸£©ºÍBNEP£¨À¶ÑÀÍøÂç·â×°ºÍ̸£©ÖÐ £¬²¢ÇÒ·ì϶ÀàÐͶàÊÇÄÚ´æÔ½½ç¶Áд¡£ËÄÔ·ݵݲȫ²¼¸æÖÐ £¬×ܹ²ÓÐ7¸öÀ¶ÑÀ×é¼þ·ì϶ £¬¶àÉ¢²¼ÔÚAVRCP£¨ÒôƵ/ÊÓÆµÔ¶³Ì½ÚÔìÅäÖÃÎļþ£©ºÍ̸ÖС£ÁùÔÂ·ÝºÍÆßÔ·ÝAndroid °²È«²¼¸æÖÐÒÀÈ»Åû¶Á˶à¸öÀ¶ÑÀ×é¼þ·ì϶ £¬Éæ¼°À¶ÑÀºÍ̸ջÖжà¸öºÍ̸ £¬Éæ¼°µÄÔ´Âë°æ±¾Îª6.0¡¢ 6.0.1¡¢ 7.0¡¢ 7.1.1¡¢7.1.2¡¢ 8.0¡¢ 8.1 £¬¸²¸ÇÁìÓò½Ï¹ã¡£

 

        ±¾ÎĽ«½éÉÜÀ¶ÑÀºÍ̸ջÖеÄL2CAPºÍ̸ºÍSMPºÍ̸ £¬²¢¶ÔCVE-2018-9359ºÍCVE-2018-9365ÕâÁ½¸ö·ì϶°¸Àý½øÐоßÌå·ÖÎö¡£

 

2¡¢ºÍ̸¼ò½é

 

2.1 L2CAP

 

        L2CAP£¨Logical Link Control and Adaptation Protocol£©³ÆÎªÂß¼­Á´Â·ºÍÊÊÅäºÍ̸ £¬ÊÇÀ¶ÑÀϵͳÖеÄÖ÷ÌâºÍ̸ £¬Î»ÓÚÊý¾ÝÁ´Â·²ã¡£L2CAPͨ¹ýºÍ̸¶à·Ö¸´ÓᢷֶκͳÁ×é £¬Ïò¸ß²ãÌá¹©ÃæÏòÏνӺÍÎÞÏνӵÄÊý¾Ý·þÎñ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

2.1.1 L2CAPÊý¾Ý°üÌåʽ

 

        L2CAPÊÇ»ùÓÚ·Ö×éµÄ £¬µ«Ò²×ñÑ­ÐÅ·´«ÊäµÄͨѶģÐÍ¡£L2CAPÖ§³ÖµÄÐÅ·ÓÐÁ½ÖÖ£ºÃæÏòÏνӵÄÐÅ·ºÍÃæÏòÎÞÏνӵÄÐÅ·¡£ÔÚÃæÏòÏνӵÄÐÅ·ÖÐ £¬L2CAPÊý¾Ý°üµÄÌåʽÈçÏÂͼËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

       Êý¾Ý°üÖÐÿ¸ö×ֶεÄ×¢Ã÷ÈçÏÂËùʾ£º

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

2.1.2 L2CAPÐÅÁî

 

       

Á½Ì¨À¶ÑÀÉ豸ͨ¹ýL2CAPºÍ̸ͨѶʱ £¬ËùÓеÄÐÅÁî¶¼±»·¢Ë͵½CIDΪ0x0001µÄÐÅ·ÖС£L2CAPÐÅÁîµÄÌåʽÈçÏÂËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  L2CAPÐÅÁîÖÐÿ¸ö×ֶεÄ×¢Ã÷ÈçÏÂËùʾ£º

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  L2CAPºÍ̸¹²ÓÐ12ÖÖÐÅÁîÀàÐÍ £¬¸÷ÐÅÁîµÄ×÷ÓÃÈçϱíËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

Áí±í £¬¶à¸öÐÅÁîÄܹ»ÔÚͳһ¸öÖ¡Öз¢ËÍ £¬ÈçÏÂͼËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

2.2 SMP

 

        SMP£¨Security Manage Protocol£©ÊÇÀ¶ÑÀºÍ̸ջÖеݲȫÖÎÀíºÍ̸ £¬ÕƹÜÀ¶ÑÀÉ豸֮¼äµÄÅä¶ÔºÍÃÜÔ¿·ÖÅä¡£

       

SMPºÅÁîÌåʽÈçÏÂͼËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  ÆäÖÐ £¬Code×Ö¶ÎΪһ¸ö8bit £¬±êʶºÅÁîµÄÀàÐÍ¡£SMPºÅÁîµÄÀàÐÍÈçϱíËùʾ¡£Data×Ö¶ÎÔÚ³¤¶ÈÉÏÊǿɱäµÄ £¬ Code×ֶξö¶¨Data×ֶεÄÌåʽ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

3¡¢·ì϶µÀÀí·ÖÎö

 

3.1 CVE-2018-9359

 

£¨ÒÔÏ·ÖÎö»ùÓÚandroid-8.0.0_r4°æ±¾Ô­Â룩

 

        CVE-2018-9359·ì϶λÓÚL2CAPºÍ̸Ä£¿é £¬·ì϶ÀàÐÍÊÇÔ½½ç¶Á¡£Äܹ»Í¨¹ý¹È¸è¹Ù·½²¼¸æ¿´µ½·ì϶²¹¶¡¡£·ì϶²¹¶¡´úÂëλÓÚ/stack/l2cap/l2c_main.ccÎļþÖеÄprocess_l2cap_cmdº¯ÊýÖÐ £¬¸Ãº¯ÊýÖØÒªÖ°ÄÜÊÇ´¦ÖýӹܵÄL2CAPºÍ̸µÄÐÅÁî°ü¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

 ´Ó´úÂë291ÐÐÆðÍ· £¬whileÑ­»·½âÎöL2CAPÊý¾Ý°üÖÐËùÓеÄCOMMANDºÅÁî¡£Ê×ÏÈ¿´Ò»ÏÂÁ½¸öºê½ç˵£ºSTREAM_TO_UINT8´ÓpÖ¸ÏòµÄÊý¾Ý°üÖжÁÈ¡1¸ö×Ö½Ú £¬pÖ¸Õë¼Ó1£»STREAM_TO_UINT16ÿ´Î´ÓpÖ¸ÏòµÄÊý¾Ý°üÖжÁÈ¡2¸ö×Ö½Ú £¬pÖ¸Õë¼Ó2¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

·¨Ê½Å²Óúê˳´Î´ÓpÖ¸ÏòµÄÊý¾Ý°üÖжÁÈ¡cmd_code¡¢idºÍcmd_len×Ö¶Î,´ËʱpÓ¦¸ÃÖ¸ÏòdataÊý¾ÝÓòµÄ¿ªÍ·¡£

       

 µ±Code=0x1 £¬´ú±íCommand rejectÊý¾Ý°ü £¬Êý¾Ý°ü½ç˵ÈçÏÂËùʾ¡£µ±Length²»Îª0 £¬dataÊý¾ÝÓòÖÐÔ̺¬Á½¸ö×ֶΣºReason×Ö¶Î(2×Ö½Ú)ºÍData×ֶΡ£

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        ´¦ÖÃCommand rejectÊý¾Ý°üµÄ·ÖÖ§´úÂëÈçÏ£º

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  ´Ó´úÂëÄܹ»¿´³ö £¬·¨Ê½Ã»ÓÐÅжϸúÅÁî°üÊÇ·ñ´æÔÚdataÊý¾ÝÓò £¬ÔÚ334ÐÐÖÐÖ±½ÓʹÓúê¶ÁÈ¡2¸ö×Ö½ÚµÄrej_reason¡£Òò¶øÔÚÄÚ´æ¶ÑÖвúÉúÔ½½ç¶Á·ì϶¡£

 

        ÕâÀïÒ²Ö»ÊDzúÉúÁËÄÚ´æÔ½½ç¶ÁÈ¡ £¬Ã»Óн«¶ÁÈ¡µÄÊý¾Ýй¶µ½¿Í»§¶ËÖС£ÏÂÃæÕÒµ½·¢ËÍ·µ»Ø°üµÄ´úÂë £¬²é¿´ÈôºÎ²úÉúÄÚ´æÐ¹Â©¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        ´Ó378ÐдúÂëÆðÍ·ÊǽâÎöL2CAP_CMD_CONN_REQºÅÁî·ÖÖ§ £¬379ÐдúÂë £¬ÏÈÔ½½ç¶ÁÈ¡Á½¸ö×Ö½ÚµÄcon_info.psm £¬380ÐдúÂëÔ½½ç¶ÁÈ¡Á½¸ö×Ö½ÚµÄrcid¡£381ÐÐŲÓÃl2cu_find_rcb_by_psmº¯Êýͨ¹ýcon_info.psmÈ¥±éÀúѰÕÒ×¢²á½ÚÔì¿éµØÖ·¡£ÕâÀïµ¥Ò»½éÉÜÒ»ÏÂPSMÕâ¸ö¸ÅÏë¡£

 

        PSMÈ«³ÆÎªProtocol/ServiceMultiplexer £¬PSMµÄ³¤¶ÈÖÁÉÙÊÇ2×Ö½Ú £¬ËüµÄÖµ¸Ãµ±ÊÇÆæÊý £¬¾ÍÊÇ×îµÍµÄbyteµÄ×îµÍλ±ØÐëΪ1¡£Áí±í £¬PSMµÄ×î¸ßbyteµÄ×îµÍλ¸Ãµ±Îª0¡£ËüÄܹ»±È2×Ö½Ú³¤ £¬PSMÓÉÁ½¸öÁìÓò¶Î×é³É £¬µÚÒ»¸öÁìÓò¶ÎÊÇSIGÓÃÀ´°µÊ¾¶ÔÓ¦protocolµÄ £¬µÚ¶þ¸öÁìÓò¶ÎÊǶ¯Ì¬ÉêÇëµÄºÍSDP½áºÏʹÓá£Õâ¸öÖµÓÃÀ´Ö§³ÖÌØ¶¨protocolµÄ·ÖÆçʵÏÖ¡£ËùÒÔ £¬ÔÚÉêÇëPSMµÄʱ³½¶¼ÊÇ´Ó0x1001ÆðÍ·ÉêÇëµÄ¡£Ô­Òò¾ÍÊÇ0x0001~0x0eff¶¼ÊDZ»SIG±£ÁôµÄ¡£ÄÇôÕâЩ±£ÁôµÄÖµ¶¼¸÷×Ô¶ÔÓ¦ÁËÄÄЩprotocolÄØ£¿¾ßÌå¼ûÏÂͼ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

 ´úÂë382ÐÐÅжÏp_rcbÊÇ·ñΪNULL £¬ÈôÊÇΪ¿Õ¾ÍŲÓÃl2cu_reject_connectionº¯Êý £¬¾ßÌ忴һϸú¯Êý´úÂë¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

´Ó´úÂë520Ðе½523ÐÐ £¬Í¨¹ýºêUINT6_TO_STREAM½«Êý¾ÝдÈëpÖ¸ÏòµÄÄÚ´æÖС£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

 ÆäÖÐremote_cid¾ÍÊÇ֮ǰԽ½ç¶ÁÈ¡µÄÁ½¸ö×Ö½ÚÊý¾Ý¡£»ú¹ØºÃÏìÓ¦Êý¾Ý°üºó £¬´úÂë525ÐÐŲÓÃl2c_link_check_send_pkts½«ÏìÓ¦°ü·¢Ë͵½¿Í»§¶Ë¡£

       

ÔÚÁùÔ·Ýandroid°²È«²¼¸æÖÐ £¬CVE-2018-9359¡¢CVE-2018-9360¡¢CVE-2018-9361Èý¸ö·ì϶µÄ²¹¶¡ÊÇÒ»ÑùµÄ¡£²¿ÃŲ¹¶¡´úÂëÈçÏ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  Äܹ»¿´³ö £¬²¹¶¡ÖÐÔö³¤Á˳¤¶ÈÅжÏ¡£ÈôÊÇp+2>p_next_cmd²»ÎªÕæ £¬×¢Ã÷´æÔÚdataÊý¾ÝÓò £¬¶øºó²ÅÆðÍ·¶ÁÈ¡×Ö½Ú¡£

 

3.2 CVE-2018-9365

 

£¨ÒÔÏ·ÖÎö»ùÓÚandroid-8.0.0_r4°æ±¾Ô­Â룩

 

CVE-2018-9365ÊÇSMP£¨security manager protocol£©ºÍ̸ÖÐÒ»¸öÊý×éÔ½½ç·ì϶¡£¸Ã·ì϶³Ê´Ë¿Ìsmp_sm_eventº¯ÊýÖÐ £¬´úÂëõ辶Ϊ£º\smp\smp_main.cc¡£¹È¸è¹Ù·½²¹¶¡´úÂëÈçÏ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

      

  ´Ó²¹¶¡ÖÐÄܹ»¿´µ½ £¬ÕâÀïÅжÏÁËp_cb->roleÊÇ·ñ´óÓÚ1 £¬ÈôÊÇ´óÓÚ1±¨´í·µ»Ø £¬²¹¶¡´úÂëÏÂÒ»ÐоÍÊÇÒÔp_cb->roleΪϱêÔÚsmp_entry_tableÊý×éÖвéÕÒ¡£Smp_entry_tableÊý×é½ç˵ÈçÏ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

Äܹ»¿´µ½ £¬smp_entry_tableÊý×éÖÐÖ»ÓÐÁ½Ïî £¬Ò»¸öÊÇÕë¶ÔÖ÷É豸 £¬Ò»¸öÊÇÕë¶Ô´ÓÉ豸¡£µ±º±¼û¾Ý°üͨ¹ýL2CAPÔÚSMPÐÅ·Öнӹܵ½Ê± £¬»áŲÓÃsmp_data_receivedº¯Êý½øÐд¦Öá£Smp_data_receivedº¯Êý´úÂëÈçÏ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

       

 ´úÂë146Ðж¨Î»µ½ÄÚ´æÖÐSMPÊý¾Ý°üµØÎ»¡£´úÂë150ÐÐͨ¹ýSTREAM_TO_UINT8ºêÈ¡³öcmd¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        

µÚ160ÐдúÂëÅжÏcmdµÄÀàÐÍÊÇ·ñΪÅä¶ÔÒªÇóÖ¸Áî»òÕß°²È«ÒªÇóÖ¸Áî¡£ÈôÊÇÊÇ £¬µÚ164ÐÐÆðÍ·¶Ôp_cb->role½øÐи´Ô졣ͨ¹ýÃû³ÆÅÐ¶Ï £¬L2CA_GetBleConnRoleº¯ÊýÓ¦¸ÃÊÇͨ¹ýÀ¶ÑÀµØÖ·»ñÈ¡À¶ÑÀÉ豸µÄ½ÇÉ«ÐÅÏ¢¡£¶ÔÓÚÀ¶ÑÀÉ豸À´Ëµ £¬Ö»ÓÐÁ½ÖÖ½ÇÉ« £¬Ò»ÊÇÖ÷É豸½ÇÉ« £¬¶þÊÇ´ÓÉ豸½ÇÉ«¡£L2CA_GetBleConnRoleº¯Êý´úÂëÈçÏ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

     µÚ201Ðнç˵ÁËrole £¬Í¬Ê±¸ørole¸³ÖµÎªHCI_ROLE_UNKNOWN¡£ºê½ç˵ÈçÏÂËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

        RoleÏȱ»¸´ÔìΪ0xff £¬´úÂë205ÐÐÊÇͨ¹ýÀ¶ÑÀµØÖ·±éÀúѰÕÒp_lcb £¬ÈôÊÇp_lcbΪ¿Õ £¬ÔòÖ±½Ó·µ»ØHCI_ROLE_UNKNOWN¡£P_cb->role±»¸³ÖµÎª0xffºó £¬ºóÐø´úÂëÖ±½ÓŲÓÃÁËsmp_sm_eventº¯Êý¡£´úÂëÈçÏÂËùʾ¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

        ŲÓÃsmp_sm_eventº¯Êý £¬²¹¶¡Ç°µÄ´úÂëÔÚ957ÐÐÓÉÓÚûÓÐÅжÏp_cb->roleµÄ´óÓ× £¬µ¼ÖÂÊý×éÔ½½ç½Ó¼û¡£

 

28Ȧ-28Ȧ¹Ù·½ÍøÕ¾-ÏàÐÅÆ·ÅƵÄÁ¦Á¿

 

4¡¢×ܽá

 

        ͨ¹ý¶Ô¶à¸öÀ¶ÑÀ·ì϶µÄ·ÖÎö £¬·¢ÏÖAndroidÀ¶ÑÀ×é¼þÖеķì϶¶àÊǽÏΪµÍ¼¶µÄ´úÂëbugµ¼Ö嵀 £¬²¢ÇÒ·ì϶¶à³Ê´Ë¿Ì¶ÔÊý¾Ý°üµÄ½âÎö´úÂëÂß¼­ÖС£Õë¶ÔÅû¶µÄÕâô¶àÀ¶ÑÀ·ì϶ £¬°²×¿ÊÖ»úÓû§»¹Ðèʵʱ¸üйٷ½ÍÆË͵IJ¹¶¡ £¬½«°²È«Òþ»¼½µµÍµ½×îµÍ¡£

 

5¡¢ÓйØÁ´½Ó

 

[1] https://android.googlesource.com/platform/system/bt/+/b66fc16410ff96e9119f8eb282e67960e79075c8%5E%21/#F0

[2] https://android.googlesource.com/platform/system/bt/+/ae94a4c333417a1829030c4d87a58ab7f1401308%5E%21/#F0

[3] https://blog.quarkslab.com/a-story-about-three-bluetooth-vulnerabilities-in-android.html