Paint it Blue: Attacking the Bluetooth stack
Mehdi Talbi, Etienne Helluy-Lafont
Hexacon 2025 · Day 2 · Main Stage
This talk, "Paint it Blue: Attacking the Bluetooth stack," presented by Mehdi Talbi and Etienne Helluy-Lafont from Synacktiv, details a sophisticated exploitation chain targeting a critical heap overflow vulnerability within Android's Bluetooth stack, specifically the **Fluoride** implementation. The researchers demonstrate how a seemingly minor integer overflow in the Generic Attribute Profile (GATT) server could be leveraged to achieve remote code execution (RCE) on Android devices running both **Gmal** (Google's standard malloc) and **Scudo** (a hardened allocator).
AI review
Talbi and Helluy-Lafont deliver the real thing: a complete, novel exploitation chain against Android's Fluoride Bluetooth stack that goes from integer overflow to authenticated zero-click RCE with a persistent shell, all without user interaction, on both standard and hardened allocator targets. This isn't a bug report dressed up as a talk — it's a masterclass in heap exploitation tradecraft on a constrained, privileged attack surface that most researchers treat as a black box. The dual allocator bypass (Gmal and Scudo), the ACL congestion spray primitive, and the ERTM-based read/write…