Qualcomm Snapdragon SoCs (systems on a chip) power a large percentage of smart devices in use today. The company's own website notes that more than a billion devices use Snapdragon processors or modems. Unfortunately, many of these devices contain security flaws that could allow an attacker to gain root access. Gaining root access on a device is highly valuable; it allows the attacker access to various capabilities they would not have under normal circumstances.
We recently found vulnerabilities affecting Snapdragon-powered Android devices, which could be exploited by an attacker in order to gain root access on the target device simply by running a malicious app. These vulnerabilities have now been fixed by Google; we reported these problems to them privately to allow a patch to be created and distributed to the public. However, given the fragmented nature of vulnerability patching in the mobile and Internet of Things (IoT) space, many users will not be able to receive the needed security update and may continue to be at risk of, among others things, information exposure.
As the number of embedded SoCs in devices explode with the IoT growth, we anticipate that these kinds of vulnerabilities will become a bigger problem that will challenge the overall security posture of Internet of Things.
We discovered this particular vulnerability, which is described as a logic bug when an object within the kernel is freed. A node is deleted twice before it is freed. This causes an information leakage and a Use After Free issue in Android. (UAF issues are well-known for being at the heart of exploits, particularly in Internet Explorer.)
This particular vulnerability lies in the function get_krait_evtinfo. (Krait refers to the processor core used by several Snapdragon processors). The function returns an index for an array; however, the validation of the inputs of this function are not sufficient. As a result, when the array krait_functions is accessed by the functions krait_clearpmu and krait_evt_setup, an out-of-bounds access results. This can be useful as part of a multiple exploit attack.
Gaining root access
Using these two exploits, one can gain root access on a Snapdragon-powered Android device. This can be done via a malicious app on the device. To prevent further attacks that may target either the patched vulnerabilities or similar ones that have yet to be discovered, we are not disclosing the full details of this attack. We will disclose more details at my talk at the upcoming Hack In The Box security conference in the Netherlands, to be held in late May 2016.
What devices are vulnerable?
The system call perf_event_open (which is used by this attack) is open on most smart phones. However, vendors can heavily customize the kernel and SELinux policies of their devices, making it difficult to identify which devices are vulnerable.
According to Google's February security bulletin, CVE-2016-0805 affects versions earlier than 4.4.4 to 6.0.1. We cannot comprehensively test all Android devices, but our own testing indicates the following devices are affected:
- Nexus 5
- Nexus 6
- Nexus 6P
- Samsung Galaxy Note Edge
We believe that any Snapdragon-powered Android device with a 3.10-version kernel is potentially at risk of this attack. As mentioned earlier, given that many of these devices are either no longer being patched or never received any patches in the first place, they would essentially be left in an insecure state without any patch forthcoming.
This attack allows an attacker to escalate the privileges of any code that is executed on a target device. However, this scenario still relies on the attacker getting his malicious code onto the device in the first place. Users should be very careful of installing apps from untrusted sources, especially those outside of the Play Store.
We advise Android users to check with the makers of their devices if an update is available that will fix these flaws.