重大的蓝牙漏洞,将导致超过50亿设备遭受黑客攻击[更新最新Crash的PoC]

BaCde  2389天前

最近,国外研究者发现蓝牙协议中存在8个0day漏洞,可影响包括Android、iOS、Windows、Linux系统及IOT设备。BlueBorne具有蠕虫传播特性,可以像WannaCry一样在世界范围内迅速蔓延。建议用户尽快升级系统,蓝牙不需要时尽量关闭。

目前Android版本的信息泄露的相关利用代码已经在网络中公开。地址:https://github.com/ojasookert/CVE-2017-0785/blob/master/CVE-2017-0785.py

2017.09.25 目前在网络中又公开一个Crash的PoC,可进行Dos(拒绝服务攻击)。PoC地址:http://0day.today/exploit/28593

621a7f1bgy1fjixvipeguj20c80d4wft.jpg

Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.

Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.

The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.

The attacks can be fully automated and they don't require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.

The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.

The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations -- or stacks -- that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports -- they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.

The Armis team first stumbled across one of the flaws during their regular work on the company's security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.

Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.

“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”

The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.

Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.

“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.

An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.

Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.

“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.

Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.

Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.

目前已经有相关检测代码被公布,地址:https://github.com/h4ck0/blueborne/blob/master/bluebourne.java


引用:

[1] https://www.forbes.com/sites/lconstantin/2017/09/12/critical-bluetooth-flaws-put-over-5-billion-devices-at-risk-of-hacking/#381c46bd68b1

[2] https://m.weibo.cn/status/4151844597523886

[3]https://github.com/ojasookert/CVE-2017-0785/blob/master/CVE-2017-0785.py

[4] http://0day.today/exploit/28593

最新评论

昵称
邮箱
提交评论