Type: Elevation of Privileges
Platform: Android 6.0.1
Device type: Nexus 5x
Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
Android bulletin: https://source.android.com/security/bulletin/2016-04-02.html
Public release date: 25th of April, 2017
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
Download Exploit (password zimperium_ndays)
In the function msm_thermal_process_ voltage_table_req, cluster_id is passed from userland but not validated. It can lead to heap overflow. It requires root to trigger, however it can be used as privilege escalation to disable SELinux.
- Set cluster_id to 213149, so we can set the value of wan_ioctl_cdev->ops from 0x ffffffc001aa0e30 to 0x00000000 01aa0e30. 0x0000000001aa0e30 is a user space address.
- we can set ptmx_cdev->ops to a fake ops which can be controlled in userland. Then get arbitrary kernel read & write by rop.