Mobile Security & Enterprise Mobility Blog

What is Quadrooter?

‘Quadrooter’ is a group of four vulnerabilities affecting  specific Android devices leveraging the Qualcomm chipset and associated driver code. These four vulnerabilities are a small part of the 36 vulnerabilities reported from the same class of bug (privilege escalation) for the same vendor (Qualcomm) that were fixed as part of August 5th Android Nexus monthly security bulletin. The vulnerabilities reside in the embedded software running the graphics driver. The graphics driver has privileged access to other processes on your device making this an interesting target for attackers.

Per the POC shared with Google for this exploit, Zimperium customers will detect and provide detailed forensics for this attack without requiring an update. The Zimperium solution continuously monitors for anomalous behaviour using our proprietary z9 technology to detect mobile attacks whether from local escalation of privileges, attacks over Wi-Fi networks or malicious applications.

What do you need to do to be safe from Quadrooter?

  1. Use a mobile threat protection app such as zIPS to detect network, device or OS tampering and elevation of privilege exploits utilizing the Quadrooter vulnerabilities or any other vulnerability on your Android or iOS devices.
  2. Update your Android devices and make sure you are running the latest patch level – dated (at the time of writing) August 5th, 2016.
  3. Assess and audit devices that have 3rd party download sources enabled. Don’t download 3rd party apps from outside of Google Play to minimize exposure to malicious code. Ensure apps are appropriately scanned for malicious content regardless of source.

What is in Quadrooter?

The four vulnerabilities defined as ‘Quadrooter’ are:

  • CVE-2016-2503 – The Qualcomm GPU driver in Android before 2016-07-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application…
  • CVE-2016-2504 – The Qualcomm GPU driver in Android before 2016-08-05 on Nexus 5, 5X, 6, 6P, and 7 (2013) devices allows attackers to gain privileges via a crafted application…
  • CVE-2016-2059 – … in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service…
  • CVE-2016-5340 – … Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.

Two of the above CVEs, CVE 2016-2503 and CVE 2016-2504, are addressed in Google’s Android Security Bulletins for July and August of 2016. Google reports they do not have any reports of active customer exploitation of abuse of these reported issues. The latter CVEs mentioned, 2059 and 5240, have been fixed but a patch update is still pending.

Interestingly, there is a remote code execution vulnerability in the same security bulletin mentioning the Quadrooter vulnerabilities. The remote code execution vulnerabilities are much more severe since they don’t require initial code execution to your device. In the August bulletin there are 32 other local privilege escalation vulnerabilities in the same vendor.

In the August Security bulletin many privilege escalation bugs are documented. From an initial investigation of the August 2016 security bulletin, we found the following vulnerabilities to be of higher risk as they affect a broader range of devices and are not solely dependent on usage of the Qualcomm chipset.

  1. Kernel remote code execution – CVE-2014-9902
  2. RCE in Conscript – CVE-2016-3840
  3. RCEs in MediaServer – CVE-2016-3819, CVE-2016-3820, CVE-2016-3821
  4. And RCE in Libjhead – CVE-2016-3822
  5. And multiple information disclosure bugs

Sources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2504
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5340
http://source.android.com/security/bulletin/2016-07-01.html
http://source.android.com/security/bulletin/2016-08-01.html