<--

OnePlus 3/3T OxygenOS Charger Boot Mode ADB Access

Aleph Research Advisory

Identifier

Severity

Critical

Products

  1. OnePlus 3T

  2. OnePlus 3

Vulnerable Version

OxygenOS 4.0.2 and below.

Mitigation

Upgrade to OxygenOS 4.0.3 or later.

Technical Details

When a charger is connected to a powered off OnePlus 3/3T device, the platform starts adbd with ADB authorization disabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further exploit other vulnerabilities and/or exfiltrate information from the device. For example, the malicious charger can reboot the device into the bootloader mode (fastboot) in order to exploit fastboot related vulnerabilities, as detailed in the blog post.

The following video presents how a ‘charger’ can exploit CVE-2017-5622 & CVE-2017-5626 for gaining a root shell, putting SELinux in permissive mode, and even executing kernel code:

The following video shows how a ‘charger’ exploits CVE-2017-5622, CVE-2017-5624 & CVE-2017-5626 for replacing the system partition in order to install a privileged app. Please note that once the replacement is complete, the victim has no indication that the device has been tampered with:

Timeline

Posts

Credit