OnePlus OTA Downgrade Vulnerability(CVE-2017-5948)

Products

• OnePlus 3T
• OnePlus 3
• OnePlus 2
• OnePlus X
• OnePlus One

Vulnerable Version

• All OnePlus OxygenOS & HydrogenOS OTAs

Technical Details

lenient updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s (see below the 4.0.0 updater-script). Downgrades can occur even on locked bootloaders & without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS. In addition, a physical attacker can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).

getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
  abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]

PoC

https://github.com/alephsecurity/research/tree/master/OnePlusOTA

Timeline

• 11-May-17: Public disclosure.
• 10-May-17: Deadline Extension.
• 26-Apr-17: Deadline.
• 09-Apr-17: 14-day Deadline Extension Offered (no reply).
• 01-Mar-17: Added as ALEPH-2017008.
• 10-Feb-17: CVE-2017-5948 assigned.
• 09-Feb-17: CVE ID requested.
• 26-Jan-17: Reported.