BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

mendesgeo
Posts: 7
Joined: Sun Dec 06, 2020 12:31 pm

BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby mendesgeo » Sat Sep 04, 2021 8:17 am

Dear, all

Espressif has made available a patch for a BrakTooth Vulnerability which can trigger arbitrary code execution on ESP32 via
Bluetooth Classic (BR/EDR) for those using Espressif dual mode stack or HCI-UART mode with a third-party stack.
BrakTooth disclosure: https://asset-group.github.io/disclosures/braktooth/

ESP-IDF commit with the patch: https://github.com/espressif/esp-idf/tr ... 598d9fc172
Advisory from Espressif: https://www.espressif.com/sites/default ... visory.pdf

Video of the attack: https://www.youtube.com/watch?v=F7VjuOiUsNk

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby WiFive » Sat Sep 04, 2021 7:56 pm

Thanks for info.

This is also nice:
As part of our work of reverse engineering ESP32 BT stack, we are releasing to the community a low-cost BT Classic (BR/EDR) Active Sniffer which is available at the following URL:

https://github.com/Matheus-Garbelini/es ... ic_sniffer

jki131
Posts: 5
Joined: Thu Feb 18, 2021 10:55 pm

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby jki131 » Sun Sep 05, 2021 7:42 pm

Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.

mendesgeo
Posts: 7
Joined: Sun Dec 06, 2020 12:31 pm

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby mendesgeo » Mon Sep 06, 2021 3:16 am

jki131 wrote:
Sun Sep 05, 2021 7:42 pm
Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.
Yes. Check again the repo. It was just updated.

andyn_ff
Posts: 18
Joined: Mon Jun 10, 2019 4:34 pm

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby andyn_ff » Thu Nov 11, 2021 7:58 am

Thanks for posting the link to the advisory from Espressif. This was the only place I could actually find it.

Do you know how these get published by Espressif? Is there some list I can subscribe to to be alerted when one of these advisories is posted? I can't see if in their website's news section.

axellin
Posts: 199
Joined: Mon Sep 17, 2018 9:09 am

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Postby axellin » Thu Nov 11, 2021 8:03 am

Subscribe the "Advisories" via https://www.espressif.com/en/subscribe

Who is online

Users browsing this forum: No registered users and 55 guests