N-Days Exploits: NDAY-2017-0103 Arbitrary kernel write in sys_oabi_epoll_wait - Zimperium

Written by zLabs | May 25, 2017

Share this blog

By: Zuk Avraham
Follow Zuk Avraham (@ihackbanme)

Nicolas Trippar
Follow Nicolas Trippar (@ntrippar)

zNID: NDAY-2017-0103
CVE: CVE-2016-3857
Type: Elevation of Privileges
Platform: Android < 6.0
Device type: Huawei MT7-UL00, Nexus 7
Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
Android bulletin: https://source.android.com/security/bulletin/2016-08-01.html
Public release date: 25th of May, 2017
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/video/tegra/host/bus_client.c
This bug is in the function `sys_oabi_epoll_wait`. It exist before android 6.0 when `CONFIG_OABI_COMPAT` is set. So it is just for some special device, for example Nexus 7 (2013) and Huawei MT7-UL00.
In the function `sys_oabi_epoll_wait`, `__put_user_error` does not validate the pointer events which is from userland. So if we set events to a kernel address, it can lead to kernel arbitrary write.

Exploitation

prepare shellcode address to `event.data`, and this event to epoll by command `EPOLL_CTL_ADD`.
set kernel address of `ptmx_fops->fsync` to event, and then call `sys_oabi_epoll_wait` to trigger the bug. so `__put_user_error` will rewrite `ptmx_fops->fsync` to the address of shellcode.
call `fsync()` on device `/dev/ptmx` to run the shellcode to get elevate privileges and disable selinux.

[gist url=”https://gist.github.com/ntrippar/aab5c81c1f3ab509ee6dee2652bc2a31.js”][/gist]

View full post