Zimperium Blog

NDAY-2017-0102: Elevation of Privilege Vulnerability in NVIDIA Video Driver

Following our announcement on the N-Days Exploit Acquisition Program for smartphones, we are delighted to share the first couple of submissions. We received many submissions and we’re in the process of sharing them with ZHA followed by a public disclosure. We plan to release additional EOPs, RCEs and Infoleaks purchased through Zimperium N-Days EAP in the next few months. If you have a mobile N-Day exploit that you would like to monetize, or would like to practice on exploitation and get paid for it – check out the submission guidelines in our N-Days Exploit Acquisition Program announcement. We encourage all partners of ZHA to share exploit submissions for better collaboration between all those involved in making our mobile devices safer.

zNID: NDAY-2017-0102
CVE: CVE-2016-2435
Type: Elevation of Privileges
Platform: Android 6.0
Device type: Nexus 9
Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
Android bulletinhttps://source.android.com/security/bulletin/2016-05-01.html
Public release date: 25th of April, 2017
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/gpu/nvgpu/gk20a/channel_gk20a.c
When we perform an IOCTL operation on /dev/nvhost-gpu with cmd NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER it calls function gk20a_init_error_notifier. This function does not validate args->offset from userspace leading to elevation of privileges to the context of the kernel.

Exploitation

  1. mmap a memory in userland, set args->offset a number to let va + args->offset overflow to this range of memory in userland. as a result we can calculate the value of va.
  2. set va + args->offset to the address of ptmx_fops, to set the value of ptmx_cdev->ops from 0xffffffc0010aa420 to 0x00000000010aa420. 0x00000000010aa420 is a user space address. As a result, we can modify ptmx_cdev->ops to a fake ops pointer that can be controlled by a userspace application.
  3. set ptmx_cdev->ops->ioctl to a ROP read or write kernel gadget to read 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
  4. After achieving read8 and write4 capabilities, the path to get elevated privileges and disabling of selinux is clear.