NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver

  • zNID: NDAY-2017-0106
  • CVE: CVE-2016-2434
  • Type: Elevation of Privileges
  • Platform: Android 6.0.1
  • Device type: Nexus 9
  • Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
  • Android bulletin: https://source.android.com/security/bulletin/2016-05-01.html
  • Public release date: 25th of May, 2017
  • Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/video/tegra/host/bus_client.c
The function nvhost_init_error_notifier does not validate args->offset which is from userland, so it can lead to arbitrary kernel write.

Exploitation

  1. mmap a memory in userland, and set `args->offset` a number to let `va + args->offset` overflow to this range of memory in userland. So we can calculate the value of `va`.
  2. set `va + args->offset` to the address of `ptmx_fops`, so we can set the value of `ptmx_cdev->ops` from `0xffffffc0010aa420` to `0x00000000010aa420`. `0x00000000010aa420` is a user space address. So we can set `ptmx_cdev->ops` to a fake ops which can be controlled in userland.
  3. set `ptmx_cdev->ops->ioctl` to a rop read or write kernel gadget which can read a 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
  4. when we get the capability of reading and writing arbitrary kernel address leading to elevation of privileges to the context of the kernel.


Follow Us