sgxgsx
Some scripts are freezing
Setup
- VM installation with
generic/ubuntu2204box - Host OS: Kali Linux
- Using built-in bluetooth (Intel)
- Testing device: Lenovo ThinkPlus Earphones
Problem
Recon and some exploit commands freeze. Not possible to escape, I need to close the terminal and kill the vagrant process.
vagrant@ubuntu2204:~$ sudo bluekit -t XX:XX:XX:XX:XX:XX -r
/usr/share/BlueToolkit/data/tests/XX:XX:XX:XX:XX:XX/recon/hciinfo.log
5.1
Running command -> hcitool info {target}
Running command -> sdptool browse {target}
Running command -> bluing br --sdp {target}
...
vagrant@ubuntu2204:~$ sudo bluekit -t XX:XX:XX:XX:XX:XX
/usr/share/BlueToolkit/data/tests/XX:XX:XX:XX:XX:XX/recon/hciinfo.log
Target Bluetooth version: 5.1
Skipping all exploits and hardware that do not support this version
There are 11 out of 40 exploits available.
Running the following exploits: ['custom_legacy_pairing_second_check', 'custom_method_confusion_check', 'bleedingtooth_badvibes_cve_2020_24490', 'bleedingtooth_badchoice_cve_2020_12352', 'reconnaissance_SSP_supported', 'blueborne_CVE_2017_1000251', 'blueborne_CVE_2017_0785', 'custom_nino_check', 'reconnaissance_SC_supported', 'reconnaissance_possible_BLUR', 'blueborne_CVE_2017_1000250']
Testing exploits: 0%| | 0/11 [00:00<?, ?it/s]Partical check - Device connectivity is checked
b'BLUEEXPLOITER DATA: code=1, data=No PIN was requested\n'
Testing exploits: 9%|██████████▏ | 1/11 [00:24<04:08, 24.82s/it]Partical check - Device connectivity is checked
b"BLUEEXPLOITER DATA: code=1, data=Device didn't show its capabilities, most likely Legacy Pairing\n"
Testing exploits: 18%|████████████████████▎ | 2/11 [00:48<03:39, 24.36s/it]Partical check - Device connectivity is checked
...
Checking /usr/share/BlueToolkit/data/tests/7C:6B:BC:83:AA:F8 I found bleedingtooth_badvibes_cve_2020_24490 folder is empty, no output, so probably something is failing with that script as well as with bluing command in the recon.
I also noted that if the Earphone device is already paired, the script reports Device is down all time.
Hi @SCH227 ,
- what do you mean by freeze?
- Did you try Ctrl+C or cmd+c? it should be possible to escape the testing, because the toolkit will kill the running processes and save a checkpoint.
- Will check bleedingtooth_badvibes_cve_2020_24490, but in general there should be at least one json file for each test
- Regarding being already paired to the device. In general you need to start with the device not being paired to a host. But you might have given me an idea of what would be an improvement (check and delete paired device info).
@sgxgsx thank you for the prompt answer!
1&2. The terminal hangs, making even Ctrl+C or Ctrl+Z to not work. To solve I had to close the terminal window and kill the process.
-
The 'freeze' behavior happens for exploits
bleedingtooth_badchoice_cve_2020_12352,bleedingtooth_badvibes_cve_2020_24490and the recon script afterbluing br --sdp {target}Do you see any other debugging information I could provide to help triaging? -
Let me check if I understood correctly. If the Earphone device is already paired, it is expected the script to not be able to connect and test (and thus see it as down)?
Hi @SCH227 , sorry for a late reply. 3. We are getting rid of bluing soon, so it should resolve this problem. Regarding badchoice and badvibes, we'll check again after a new version release. 4. also, one person is rewriting recon, so it might fix your problem.