Zimperium Blog

NDAY-2017-0106: Elevation of Privilege in NVIDIA nvhost-vic driver

  • zNID: NDAY-2017-0106
  • CVE: CVE-2016-2434
  • Type: Elevation of Privileges
  • Platform: Android 6.0.1
  • Device type: Nexus 9
  • Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
  • Android bulletin: https://source.android.com/security/bulletin/2016-05-01.html
  • Public release date: 25th of May, 2017
  • Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/video/tegra/host/bus_client.c
The function nvhost_init_error_notifier does not validate args->offset which is from userland, so it can lead to arbitrary kernel write.

Exploitation

  1. mmap a memory in userland, and set `args->offset` a number to let `va + args->offset` overflow to this range of memory in userland. So we can calculate the value of `va`.
  2. set `va + args->offset` to the address of `ptmx_fops`, so we can set the value of `ptmx_cdev->ops` from `0xffffffc0010aa420` to `0x00000000010aa420`. `0x00000000010aa420` is a user space address. So we can set `ptmx_cdev->ops` to a fake ops which can be controlled in userland.
  3. set `ptmx_cdev->ops->ioctl` to a rop read or write kernel gadget which can read a 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
  4. when we get the capability of reading and writing arbitrary kernel address leading to elevation of privileges to the context of the kernel.