Get a locked OnePlus 3/3T: boot loader vulnerability-vulnerability warning-the black bar safety net

2017-02-13T00:00:00
ID MYHACK58:62201783357
Type myhack58
Reporter 佚名
Modified 2017-02-13T00:00:00

Description

In this article, I disclosed the OnePlus 3/3T boot loader in the two holes. The first CVE-2017-5626 is the impact of OxygenOS 3.2-4.0.1(4.0.2 to patch high-risk vulnerabilities. The vulnerability allows a physical opponent or use ADB/ FASTBOOT access to bypass the bootloader lock state, even if the Allow OEM Unlocking is disabled, no user confirmation will not trigger the factory reset. The vulnerability allows kernel code to execute while start when there is 5 seconds to warn you. The second Vulnerability, CVE-2017-5624 impact so far OxygenOS of all versions, allows an attacker to disable dm-verity of. These vulnerabilities combined to achieve a powerful attack - the persistence of high-privilege code execution, and is not issued to the user any warning, and be able to access the original user's data on the victim to enter their credentials. OnePlus Security disclosure and recognition of these two vulnerabilities. The first Vulnerability, CVE-2017-5626 in 1 month 23 days is disclosed. It is also by OnePlus engineers independently discovered. CVE-2017-5624 in 1 month 16 may be disclosed in the future OxygenOS version get fix-today disclosed the reason for it is because it has been someone in 1 On 24 May announced it. Disclaimer: I only tested the OnePlus 3, but the OnePlus 3T also contains the vulnerability. To bypass the boot loader lock CVE-2017-5626) OnePlus 3 &3T run OxygenOS 3.2 - 4.0.1 system,it has two dedicated FASTBOOT oem command: 1. fastboot oem 4F500301-bypass the bootloader lock-allows the use of FASTBOOT access to unlock the device, ignoring the OEM Unlocking and without user confirmation, no user data erase(right after unlocking would usually. In addition, after you run this command the device still reports in the locked state. 2. fastboot oem 4F500302 - reset the various boot loader settings. For example, it will lock does not lock the boot loader without user confirmation. Analysis of the boot program binary indicates its handler 4F500301 the command is very simple: // 'oem 4F500301' handler int sub_918427F0() { magicFlag_dword_91989C10 = 1; if ( dword_9198D804 != dword_9198D804 ) assert(1, dword_9198D804, dword_9198D804); return sendOK((int)"", dword_9198D804); } Therefore, it is in 91989C10 set some global flag, which we named magicFlag it. Through the observation of its processing format/erase FASTBOOT commands in the process, we can clearly see in several checks after,magicFlag override the device lock status-flashing or deleted partition: // 'flash' handler const char __fastcall sub_91847EEC(char partitionName, int a2, int a3) { char pname; // r5@1 ... pname = partitionName; v4 = a2; v5 = a3; if ( returnTRUE1(partitionName, (int)a2) ) { result = (const char )sub_918428F0(pname, v6); if ( (result || magicFlag_dword_91989C10) && ((result = (const char )sub_91842880(pname, v10)) != 0 || magicFlag_dword_91989C10) ) { result = (const char )sub_918428F0(pname, v10); if ( ! result || magicFlag_dword_91989C10 ) goto LABEL_7; v8 = dword_9198D804; if ( dword_9198D804 != dword_9198D804 ) goto LABEL_28; v11 = "Critical partition flashing is not allowed"; } else { v8 = dword_9198D804; if ( dword_9198D804 != dword_9198D804 ) goto LABEL_28; v11 = "Partition flashing is not allowed"; } return (const char )FAIL2((int)v11, v10); } LABEL_7: ... if ( v4 != 0xED26FF3A ) { if ( v4 == 0xCE1AD63C ) cmd_flash_meta_img(pname, (unsigned int)v4, v5); else cmd_flash_mmc_img(pname, (int)v4, v5); goto LABEL_10; } v7 = v4; } cmd_flash_mmc_sparse_img(pname, (int)v7, v5); ... } // 'erase' handler int __fastcall sub_91847118(char *partitionName, int a2, int a3) { ... v3 = partitionName; v4 = returnTRUE1(partitionName, a2); if ( ! v4 ) { LABEL_7: ... if ( v4 ) { if ( dword_9198D804 == dword_9198D804 ) return eraseParition(v3); } ... } v4 = sub_918428F0(v3, v5); if ( ! v4 && ! magicFlag_dword_91989C10 ) { v6 = dword_9198D804; if ( dword_9198D804 == dword_9198D804 ) { v7 = "Partition erase is not allowed"; return FAIL2((int)v7, v5); } goto LABEL_23; } v4 = sub_91842880(v3, v5); if ( ! v4 && ! magicFlag_dword_91989C10 )

[1] [2] [3] next