OnePlus 3/3T OxygenOS SELinux Security Bypass

Aleph Research Advisory

Identifier

CVE-2017-5554

Severity

High

Products

OnePlus 3T
OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.2

Technical Details

The attacker can reboot a OnePlus 3/3T device into the fastboot mode, which could be done without any authentication. A physical attacker can press the “Volume Up” button during device boot, where an attacker with ADB access can issue the adb reboot bootloader command. Then, the attacker can put the platform’s SELinux in permissive mode, which severely weakens it, by issuing:

fastboot oem selinux permissive
...
OKAY [  0.045s]
finished. total time: 0.047s

....

OnePlus3:/ $ getenforce
Permissive
OnePlus3:/ $

Timeline

01-Mar-17
: Added as ALEPH-2017001.
22-Jan-17
: CVE-2017-5554 assigned.
18-Jan-17
: CVE ID requested.
11-Jan-17
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

securityresear.ch