On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is...

On November 3rd, 2019, INSINUATOR.org has reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows:

Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag

However there was an issue; the above blog post was dealing with ARM64 and the bluetooth daemon on the Peloton was (weirdly) 32 bit ARM. The implementation of memcpy in the ARM64 version has a quirk that allows the negative sized copy to end, which also allows the exploit to leak memory containing addresses. The 32 bit implementation did not have that quirk. Luckily at the very end of the post there was salvation: a different exploit for this vulnerability on a 32 bit device by Polo35. Instead of relying on the underflow this exploit used a zero length memcpy to read 4 bytes of uninitialized memory. 2ff7e9595c