Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:93108
HistoryMay 12, 2017 - 12:00 a.m.

OnePlus OTA One/X Crossover Vulnerability(CVE-2017-8851)

2017-05-1200:00:00
Root
www.seebug.org
16

0.002 Low

EPSS

Percentile

56.9%

JSON

Products

  • OnePlus X
  • OnePlus One

Vulnerable Version

  • All OnePlus OxygenOS & HydrogenOS OTAs

Technical Details

Due to lenient updater-script on the OnePlus One & X’s OTA images (see below), the fact both products use the same OTA verification keys, and the fact both products share the same ro.build.product system property, attackers can install OTAs of one product over the other, even on locked bootloaders. That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use adb sideload to push the OTA.

updater-script of the latest OnePlus X OxygenOS OTA:

getprop("ro.build.product") == "OnePlus" || abort("This package is for \"OnePlus\" devices; this is a \"" + getprop("ro.build.product") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/platform/msm_sdcc.1/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat");

updater-script of the OnePlus One OxygenOS OTA:

getprop("ro.build.product") == "OnePlus" || getprop("ro.build.product") == "ONE" || abort("This package is for \"OnePlus\" devices; this is a \"" + getprop("ro.build.product") + "\".");
ifelse(is_mounted("/system"), unmount("/system"));
mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system", "");
unmount("/system");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");

PoC

https://github.com/alephsecurity/research/tree/master/OnePlusOTA

Timeline

  • 11-May-17: Public disclosure.
  • 10-May-17: Deadline Extension.
  • 08-May-17: CVE-2017-8851 assigned.
  • 08-May-17: CVE ID requested.
  • 08-May-17: Added as ALEPH-2017021.
  • 26-Apr-17: Deadline.
  • 09-Apr-17: 14-day Deadline Extension Offered (no reply).
  • 26-Jan-17: Reported.

Related

cve 4
prion 4
cvelist 4
nvd 4
seebug 2
thn 1
cve
cve
CVE-2017-8851
2017-05-11 18:29:00
CVE-2016-10370
2017-05-11 18:29:00
CVE-2017-5948
2017-05-11 18:29:00
prion
prion
Spoofing
2017-05-11 18:29:00
Design/Logic Flaw
2017-05-11 18:29:00
Design/Logic Flaw
2017-05-11 18:29:00
cvelist
cvelist
CVE-2017-8851
2017-05-11 18:00:00
CVE-2016-10370
2017-05-11 18:00:00
CVE-2017-5948
2017-05-11 18:00:00
nvd
nvd
CVE-2017-8851
2017-05-11 18:29:00
CVE-2016-10370
2017-05-11 18:29:00
CVE-2017-8850
2017-05-11 18:29:00
seebug
seebug
OnePlus OTA Lack of TLS Vulnerability(CVE-2016-10370)
2017-05-12 00:00:00
OnePlus OTA OxygenOS/HydrogenOS Crossover Vulnerability(CVE-2017-8850)
2017-05-12 00:00:00
thn
thn
All OnePlus Devices Vulnerable to Remote Attacks Due to 4 Unpatched Flaws
2017-05-11 09:39:00

0.002 Low

EPSS

Percentile

56.9%

JSON
Related for SSV:93108
cve4prion4cvelist4nvd4seebug2thn1