How to chain flaws in Lenovo VIBE smartphones to gain root privileges

Researchers from Mandiant found a way to gain root privileges on Lenovo VIBE smartphones by chaining three vulnerabilities.

The Lenovo VIBE smartphones were affected by security vulnerabilities that could allow an attacker with physical access to the device to gain root privileges.

Researchers from Lenovo confirmed that the vulnerabilities could be exploited only on devices that are not protected with a secure lock screen (i.e. PIN, passcode) and flaws affect only Android earlier than 6.0.

Attackers can trigger the issues to elevate privileges to the root user and interfere with the device’s operation.

“Vulnerabilities have been identified on Lenovo VIBE Mobile Phones that allow the user or an attacker with physical possession of a device that is not protected with a secure lock screen, e.g. PIN/Password, to elevate privileges to the root user (commonly known as “rooting” or “jailbreaking” a device) with the ability to modify the device’s operation and functionality in myriad ways.” states the advisory, published by Lenovo.

The advisory reports three flaws that can be chained to compromise a Lenovo device.

1. CVE-2017-3748 – Improper access controls on the nac_server component can be abused in conjunction with CVE-2017-3749 and CVE-2017-3750 to elevate privileges to the root user (commonly known as ‘rooting’ or “jail breaking” a device).

2. CVE-2017-3749 – The Idea Friend Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748 and CVE-2017-3750

3. CVE-2017-3750 – The Lenovo Security Android application allows private data to be backed up and restored via Android Debug Bridge, which allows tampering leading to privilege escalation in conjunction with CVE-2017-3748

The vulnerabilities were found by the Mandiant’s Red Team in May 2016 that reported them to Lenovo.

The flaws were promptly fixed by Motorola that was in charge of Lenovo mobile solutions.

“In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should work with Motorola, who it had acquired and was now responsible for Lenovo’s mobile product portfolio.” states the analysis published by FireEye-Mandiant.

The full list of the affected Lenovo VIBE smartphones was included in the Motorola’s official advisory, Lenovo issued security updates only for 20 out of 40 phone models.

 

Motorola has redesigned the affected mechanism to use a more secure process.

“Allowing backups on privileged applications can also be detrimental and should be disallowed. Just because an application is not running as a privileged Android user ID such as ‘android.uid.system’, does not mean that it cannot introduce vulnerabilities and be used to escalate privileges. Finally, applications should never allow executable code (Java classes, ELF binaries, or shared objects) within backups. This can be limited using a BackupAgent,” Concluded FireEye-Mandiant.

The researchers highlighted that the vulnerabilities in the Lenovo VIBE smartphones are difficult to exploit in a real attack scenario. As usual, let me suggest updating your mobile device.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Lenovo VIBE smartphones, hacking)

[adrotate banner=”13″]