logo

Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands

Conference:  BlackHat EU 2020

2020-12-10

Summary

The presentation discusses various Bluetooth vulnerabilities found in Mac OS and the importance of effective vulnerability research and engineering practices.
  • Bluetooth vulnerabilities in Mac OS have been repeatedly found due to lack of effective boundary checking and incomplete test cases
  • Undocumented commands and non-standard HCI implementations can lead to domino effects
  • Uninitialized memory dereference vulnerabilities can be hidden in plain sight and are difficult to find with traditional fuzzing methods
  • The importance of proper thread development and command gate mechanisms to protect Bluetooth-related data structures
  • Effective vulnerability research and engineering practices can lead to better cybersecurity measures
The speaker found a vulnerability in the Mac OS kernel within 20 minutes of reverse engineering, highlighting the importance of effective vulnerability research. Additionally, the speaker emphasized the need for proper thread development and command gate mechanisms to protect Bluetooth-related data structures.

Abstract

In order to control the firmware link manager and baseband controller, Bluetooth stacks usually abstract a set of command interfaces called Host-Controller Interface (HCI). Through these interfaces, the host can access and modify control registers and hardware status on the SoC side. In addition to common inquiry, reset and other basic control functions, HCI mostly allows callers to send vendor-specific commands and events in the form of raw data. These undocumented interfaces further introduce potential attack surfaces to the system. Since HCI is open to low-privileged processes, the InfoSec community has always been concerned about the security impact of these interfaces. In recent years, binary auditing and fuzzing against drivers such as IOBluetoothFamily have never stopped. We can also prove this from the output of IDA Pro/Hex-Rays. The routine IOBluetoothHCIUserClient::ValidParameters has expanded from 300 lines of code on macOS High Sierra to more than 3000 lines on macOS Catalina. With the joint efforts of Apple and the security community, hunting for new vulnerabilities is not an easy task. This presentation will share more than a dozen IOBluetoothFamily HCI kernel zero-day vulnerabilities, most of which have been hidden in plain sight for a long time. One of them is very similar to the well-known Win32K User Mode Callback vulnerability, this design flaw affects all HCI handlers (more than 200). Furthermore, due to the existence of raw data requests, we can also attack undocumented vendor commands, and I will show an interesting overflow case about Broadcom LE Meta VSC.

Materials:

Tags: