Page 1 of 1

BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Sat Sep 04, 2021 8:17 am
by mendesgeo
Dear, all

Espressif has made available a patch for a BrakTooth Vulnerability which can trigger arbitrary code execution on ESP32 via
Bluetooth Classic (BR/EDR) for those using Espressif dual mode stack or HCI-UART mode with a third-party stack.
BrakTooth disclosure: https://asset-group.github.io/disclosures/braktooth/

ESP-IDF commit with the patch: https://github.com/espressif/esp-idf/tr ... 598d9fc172
Advisory from Espressif: https://www.espressif.com/sites/default ... visory.pdf

Video of the attack: https://www.youtube.com/watch?v=F7VjuOiUsNk

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Sat Sep 04, 2021 7:56 pm
by WiFive
Thanks for info.

This is also nice:
As part of our work of reverse engineering ESP32 BT stack, we are releasing to the community a low-cost BT Classic (BR/EDR) Active Sniffer which is available at the following URL:

https://github.com/Matheus-Garbelini/es ... ic_sniffer

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Sun Sep 05, 2021 7:42 pm
by jki131
Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Mon Sep 06, 2021 3:16 am
by mendesgeo
jki131 wrote:
Sun Sep 05, 2021 7:42 pm
Is there any information how sniffer work? There is no source code for esp32 firmware in gtihub repo.
Yes. Check again the repo. It was just updated.

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Thu Nov 11, 2021 7:58 am
by andyn_ff
Thanks for posting the link to the advisory from Espressif. This was the only place I could actually find it.

Do you know how these get published by Espressif? Is there some list I can subscribe to to be alerted when one of these advisories is posted? I can't see if in their website's news section.

Re: BrakTooth Vulnerability on ESP32 (Arbitrary Code Execution)

Posted: Thu Nov 11, 2021 8:03 am
by axellin
Subscribe the "Advisories" via https://www.espressif.com/en/subscribe