Mobile Security & Enterprise Mobility Blog

NDAY-2017-0105: Elevation of Privilege Vulnerability in MSM Thermal Driver

By: Zuk Avraham
Nicolas Trippar
Following our announcement on the N-Days Exploit Acquisition Program for smartphones, we are delighted to share the first couple of submissions. We received many submissions and we’re in the process of sharing them with ZHA followed by a public disclosure. We plan to release additional EOPs, RCEs and Infoleaks purchased through Zimperium N-Days EAP in the next few months. If you have a mobile N-Day exploit that you would like to monetize, or would like to practice on exploitation and get paid for it – check out the submission guidelines in our N-Days Exploit Acquisition Program announcement. We encourage all partners of ZHA to share exploit submissions for better collaboration between all those involved in making our mobile devices safer.

zNID: NDAY-2017-0105
CVE: CVE-2016-2411
Type: Elevation of Privileges
Platform: Android 6.0.1
Device type: Nexus 5x
Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
Android bulletinhttps://source.android.com/security/bulletin/2016-04-02.html
Public release date: 25th of April, 2017
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

In the function msm_thermal_process_ voltage_table_req, cluster_id  is passed from userland but not validated. It can lead to heap overflow. It requires root to trigger, however it can be used as privilege escalation to disable SELinux.

Exploitation

  1. Set cluster_id to 213149, so we can set the value of wan_ioctl_cdev->ops from 0x ffffffc001aa0e30 to 0x00000000 01aa0e30. 0x0000000001aa0e30  is a user space address.
  2. we can set ptmx_cdev->ops to a fake ops which can be controlled in userland. Then get arbitrary kernel read & write by rop.