A detailed analysis of two critical vulnerabilities impacting Android devices powered by Qualcomm chips has been published.
The two security flaws, tracked as CVE-2019-14040 and CVE-2019-14041, affected all Android devices with Qualcomm chipsets and could be exploited to give a malicious application full root capabilities.
Zimperium’s zLabs research team originally reported the security issues to Qualcomm on July 31, 2019. A proof-of-concept (PoC) was sent to the US chip giant on August 4, and a month later, Qualcomm sent patches to Android vendors.
After vendors were given enough time to deploy the security fix to customers, a February security bulletin was published by Qualcomm.
Now fixes have been made readily available, Zimperium has released PoC code to GitHub (1, 2) and has given us an insight into the kernel vulnerabilities.
In the Android environment, a driver exists called QTI Secure Execution Environment Communicator (QSEECOM), which manages processes that need to communicate with the TrustZone.
The first vulnerability, CVE-2019-14041, is a race condition problem steeming from a buffer update function that is sent to the TrustZone with pointers.
An API exposed by QSEECOM is made up of ioctls calls to the /dev/qseecom device. In order to prevent duplication, the buffer update function can be reached via two completely different ioctls and behaves differently in each scenario. While doing so, the function checks data->type, and simply by querying this call, it was possible to corrupt memory.
The second vulnerability, CVE-2019-14040, is a use-after-free flaw in kernel memory mapping. Zimperium says the ION mechanism — used in mapping — “allows user-space processes to allocate memory out of special heaps which behave differently than other regular memory,” and as a result, it is not only user-space processes that can map or read/write memory space.
Instead, the same function that could be abused through the previous security flaw can also be used to ensure the kernel can also modify the same information.
When an allocated ION buffer is referenced, some parameters including handles are saved. While requests are checked before proceeding, the team found that it was possible to extend the length of a request to the point that it was possible to bypass standard validity checks and compromise kernel mapping and code execution.
The researchers say that when combined with an attack chain of other vulnerabilities — CVE-2017-13253, CVE-2018-9411 and CVE-2018-9539 — malicious apps can also seize root powers, leading to a range of attacks including sensitive data and credential theft, the deployment of additional malware, and surveillance including eavesdropping on private calls and taking control of a handset’s camera and microphone.
“These vulnerabilities could allow an attacker to reach full root/kernel privileges,” zLabs says. “Especially the use after free, as that one is way more reliable than the race condition. In theory, it could be possible for a completely unprivileged attacker to create a chain out of these vulnerabilities in order to achieve complete root privileges.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0