Two kind of vulnerabilities, you can make a billion Android phone is to obtain Root permissions-bug warning-the black bar safety net

ID MYHACK58:62201672494
Type myhack58
Reporter 佚名
Modified 2016-03-12T00:00:00


Trend Micro reported that billions of Android device on the discovered vulnerabilities, an attacker by a simple operation to obtain root access. Currently on the market most of the smart devices are using the Qualcomm Snapdragon SoCs system chip, according to the company's official website statistics, there are more than 1 0 million of the devices using the Snapdragon chip. Unfortunately, however, security researchers have found several security vulnerability affects Snapdragon chip, can be attacker to gain access to the device's root privileges. Trend Micro in the discovery of these vulnerabilities after it is submitted to Google, and Google also has been fixed. However, due to the impact range is relatively wide, the mobile field and the networking field are involved, it is inevitable that some users failed to update the patch, so this is to remind users to update vulnerability patches. It is also recommended that Android users download the app must be from legitimate sources, at download. Two security vulnerability affects billions of Android mobile phones CVE-2 0 1 6-0 8 1 9 The vulnerability occurs in the kernel object is released when it is referred to as logic vulnerabilities. Wherein there is a node in before the release has been deleted twice. This will cause the phone in the leaked information and UAF released the memory after use. CVE-2 0 1 6-0 8 0 5 The vulnerability exists in get_krait_evtinfo function. The function returns an array index, however, the output of the function verification is imperfect. So, when krait_clearpmu and krait_evt_setup function to access krait_functions array, it will lead to unauthorized access. Get root access If the Android device is mounted on a Snapdragon chip, as long as the attacker use both the exp will be able to get the device root access. Given that some users haven't updated the patch here does not show the vulnerability of all the details, all the details will be in the 2 0 1 6 years of 5 at the end of the presentation at the Hack In the Box Security Conference. The affected device Affected by CVE-2 0 1 6-0 8 0 5 impact of the system version 4. 4. 4-6. 0. 1, The test found that the affected have only tested part of the phone: the Nexus 5 Nexus 6 Nexus 6P Samsung Galaxy Note Edge Kernel version 3. 1 0 Android devices also affected