N-Days Exploits: NDAY-2017-0103 Arbitrary kernel write in sys_oabi_epoll_wait

  • zNID: NDAY-2017-0103
  • CVE: CVE-2016-3857
  • Type: Elevation of Privileges
  • Platform: Android < 6.0
  • Device type: Huawei MT7-UL00, Nexus 7
  • Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
  • Android bulletinhttps://source.android.com/security/bulletin/2016-08-01.html
  • Public release date: 25th of May, 2017
    Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/video/tegra/host/bus_client.c
This bug is in the function `sys_oabi_epoll_wait`. It exist before android 6.0 when `CONFIG_OABI_COMPAT` is set. So it is just for some special device, for example Nexus 7 (2013) and Huawei MT7-UL00.
In the function `sys_oabi_epoll_wait`, `__put_user_error` does not validate the pointer events which is from userland. So if we set events to a kernel address, it can lead to kernel arbitrary write.

Exploitation

  1. prepare shellcode address to `event.data`, and this event to epoll by command `EPOLL_CTL_ADD`.
  2. set kernel address of `ptmx_fops->fsync` to event, and then call `sys_oabi_epoll_wait` to trigger the bug. so `__put_user_error` will rewrite `ptmx_fops->fsync` to the address of shellcode.
  3. call `fsync()` on device `/dev/ptmx` to run the shellcode to get elevate privileges and disable selinux.

[gist url=”https://gist.github.com/ntrippar/aab5c81c1f3ab509ee6dee2652bc2a31.js”][/gist]

Get started with your Zimperium trial today

Qualified organizations will try zIPS, Zimperium's mobile threat defense solution, for free and receive recommendations on how to immediately remediate issues and alleviate risks. This includes 3 steps:

[gravityform id="2" ajax="true"]