目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2023-46870 PoC — Nordic Semiconductor nRF Sniffer 安全漏洞

来源
https://github.com/Chapoly1305/CVE-2023-46870
关联漏洞
标题:Nordic Semiconductor nRF Sniffer 安全漏洞 (CVE-2023-46870)
Description:Nordic Semiconductor nRF Sniffer是挪威Nordic半导体(Nordic Semiconductor)公司的一种调试蓝牙低功耗 (BLE) 应用程序的工具。 Nordic Semiconductor nRF Sniffer for Bluetooth LE存在安全漏洞,该漏洞源于设置不正确的文件权限,允许攻击者通过修改后的bash和python脚本执行代码。
介绍
# CVE-2023-46870

Nordic Semiconductor nRF Sniffer for Bluetooth LE versions 3.0.0, 3.1.0, 4.0.0, 4.1.0, and 4.1.1 have incorrect file permissions set, which allows adversaries to perform privilege escalation and code execution by modifying bash and python scripts.

**Keywords:** Local Privilege Escalation (LPE), Code Execution

**Affected Platform:** Linux, MacOS

**Affected Files:** extcap/nrf_sniffer_ble.py, extcap/nrf_sniffer_ble.sh, extcap/SnifferAPI/*.py


## Description


nRF Sniffer for Bluetooth LE is a Wireshark extension that allows the use of a nRF52840 dongle and Development Kit to perform packet capture and analysis.


## Replication Steps
1. Download and decompressing the relevant software [nRF Sniffer for Bluetooth LE](https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE/Download)
2. As described by the vendor in the user manual found at [Installation Guide](https://infocenter.nordicsemi.com/topic/ug_sniffer_ble/UG/sniffer_ble/installing_sniffer_plugin.html), copy the files directly to the Wireshark extcap plug-in folder. Observe the script nrf_sniffer_ble.sh which may have been set to 777, allowing other users in the system to edit the content of the script. 


[YouTube Video](https://youtu.be/cyC4_aJgMX0)
_Video was recorded when got Covid-19, sorry about the slow speaking._

## Analysis
**CVSS:3.0 7.3 High**
Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H


Due to this permissions issue, the extracted files are set to allow both group and others to modify (permissions set as 777 and 666). This allows any malicious program or user, even without sudo or root permissions, to modify the bash and python scripts, potentially leading to code execution when another user launches Wireshark. Since Wireshark always loads the extensions from the extcap directory, regardless of whether the legitimate user intends to use the "nRF Sniffer for Bluetooth LE" or not, the code will always be executed.


[YouTube Video](https://youtu.be/n6YQiWRjzCY)



## Suggested Mitigation


Manually correct the file permissions to 500 or 400.
For example, on macOS:
```
chmod 500 ~/.config/wireshark/extcap/nrf_sniffer_ble.sh 
chmod 400 ~/.config/wireshark/extcap/SnifferAPI/*
```


## History

- Nov 2, 2023 – CVE ID Reserved.
- Dec 11, 2023 – Vendor Responded, Case concluded invalid.
- May 10, 2024 – Publicly Disclosed.
文件快照

 [4.0K]  /data/pocs/06174347a84d0bf3490c7799fce0332279b1f1be
└── [2.3K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。