Please Make a Dentist Appointment ASAP: Attacking IOBluetoothFamily HCI and Vendor-Specific Commands presented at BlackHatEurope 2020

by Yu Wang,

Summary : In order to control the firmware link manager and baseband controller, Bluetooth stacks usually abstract a set of command interfaces called Host-Controller Interface (HCI). Through these interfaces, the host can access and modify control registers and hardware status on the SoC side. In addition to common inquiry, reset and other basic control functions, HCI mostly allows callers to send vendor-specific commands and events in the form of raw data. These undocumented interfaces further introduce potential attack surfaces to the system.Since HCI is open to low-privileged processes, the InfoSec community has always been concerned about the security impact of these interfaces. In recent years, binary auditing and fuzzing against drivers such as IOBluetoothFamily have never stopped. We can also prove this from the output of IDA Pro/Hex-Rays. The routine IOBluetoothHCIUserClient::ValidParameters has expanded from 300 lines of code on macOS High Sierra to more than 3000 lines on macOS Catalina. With the joint efforts of Apple and the security community, hunting for new vulnerabilities is not an easy task.This presentation will share more than a dozen IOBluetoothFamily HCI kernel zero-day vulnerabilities, most of which have been hidden in plain sight for a long time. One of them is very similar to the well-known Win32K User Mode Callback vulnerability, this design flaw affects all HCI handlers (more than 200). Furthermore, due to the existence of raw data requests, we can also attack undocumented vendor commands, and I will show an interesting overflow case about Broadcom LE Meta VSC.