Pierluigi Paganini October 18, 2019

A researcher has published a proof-of-concept (PoC) exploit code for the CVE-2019-2215 zero-day flaw in Android recently addressed by Google

Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android.

According to the expert, the bug was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue

Last week, Google released security patches for Android, the tech giant announced that patches to address the CVE-2019-2215 in Pixel 1 and Pixel 2 devices will be included in the October update.

Now the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.

“All I needed to do was compile the exploit and run it over ADB. I downloaded the latest Android NDK and compiled the proof of concept. I ran it on my device and confirmed that I was able to reproduce Maddie Stone’s screenshot exactly.” reads a blog post published by Hernandez.

“The base PoC left us with a full kernel read/write primitive, essentially game over for the systems’ security, but left achieving root as an exercise for the reader,”

The expert explained that an attacker that aims to get a full root shell would need to bypass multiple layers of security defense implemented by Google, including Discretionary Access Control (DAC), Mandatory Access Control (MAC), Linux Capabilities (CAP), SECCOMP, Android Middleware.

Hernandez pointed out that an app accessible kernel exploit allows the attacker to easily bypass or disable all of these layers of defenses.

The expert detailed how to bypass DAC and CAP and how to disable SELinux and SECCOMP. The expert created a one-click rooting application called Qu1ckR00t.

“Once I had a reliable working exploit that I could use over ADB, I decided it would be neat to see the exploit working from an application context. I created Qu1ckR00t (the name is satire) as a one-click rooting application that also YOLO-installs™ Magisk.” concludes the researchers that published the PoC exploit code on GitHub. “There is nothing novel about Qu1ckR00t, but it is cool to get a little taste of a typical iOS jailbreaking flow on Android. Maybe in the future if OEMs like Samsung completely remove OEM Unlock, this kind of rooting method will return to popularity.”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2215, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]