By: Zuk Avraham
Follow Zuk Avraham (@ihackbanme)
Follow Zuk Avraham (@ihackbanme)
Nicolas Trippar
Follow Nicolas Trippar (@ntrippar)
Follow Nicolas Trippar (@ntrippar)
- zNID: NDAY-2017-0106
- CVE: CVE-2016-2434
- Type: Elevation of Privileges
- Platform: Android 6.0.1
- Device type: Nexus 9
- Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
- Android bulletin: https://source.android.com/security/bulletin/2016-05-01.html
- Public release date: 25th of May, 2017
- Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
Download Exploit (password zimperium_ndays)
Vulnerability Details
Vulnerable file drivers/video/tegra/host/bus_client.c
The function nvhost_init_error_notifier does not validate args->offset which is from userland, so it can lead to arbitrary kernel write.
Exploitation
- mmap a memory in userland, and set `args->offset` a number to let `va + args->offset` overflow to this range of memory in userland. So we can calculate the value of `va`.
- set `va + args->offset` to the address of `ptmx_fops`, so we can set the value of `ptmx_cdev->ops` from `0xffffffc0010aa420` to `0x00000000010aa420`. `0x00000000010aa420` is a user space address. So we can set `ptmx_cdev->ops` to a fake ops which can be controlled in userland.
- set `ptmx_cdev->ops->ioctl` to a rop read or write kernel gadget which can read a 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
- when we get the capability of reading and writing arbitrary kernel address leading to elevation of privileges to the context of the kernel.
