NDAY-2017-0103: Arbitrary kernel write in sys_oabi_epoll_wait
- zNID: NDAY-2017-0103
- CVE: CVE-2016-3857
- Type: Elevation of Privileges
- Platform: Android < 6.0
- Device type: Huawei MT7-UL00, Nexus 7
- Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
- Android bulletin: https://source.android.com/security/bulletin/2016-08-01.html
- Public release date: 25th of May, 2017
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
Download Exploit (password zimperium_ndays)
Vulnerable file drivers/video/tegra/host/bus_client.c
This bug is in the function `sys_oabi_epoll_wait`. It exist before android 6.0 when `CONFIG_OABI_COMPAT` is set. So it is just for some special device, for example Nexus 7 (2013) and Huawei MT7-UL00.
In the function `sys_oabi_epoll_wait`, `__put_user_error` does not validate the pointer events which is from userland. So if we set events to a kernel address, it can lead to kernel arbitrary write.
- prepare shellcode address to `event.data`, and this event to epoll by command `EPOLL_CTL_ADD`.
- set kernel address of `ptmx_fops->fsync` to event, and then call `sys_oabi_epoll_wait` to trigger the bug. so `__put_user_error` will rewrite `ptmx_fops->fsync` to the address of shellcode.
- call `fsync()` on device `/dev/ptmx` to run the shellcode to get elevate privileges and disable selinux.