<--

OnePlus OTA Downgrade Vulnerability

Aleph Research Advisory

Identifier

Severity

Critical

Products

  1. OnePlus 3T
  2. OnePlus 3
  3. OnePlus 2
  4. OnePlus X
  5. OnePlus One

Vulnerable Version

All OnePlus OxygenOS & HydrogenOS OTAs

Technical Details

OnePlus OxygenOS & HydrogenOS are vulnerable to downgrade attacks. This is due to lenient updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s (see below the 4.0.0 updater-script). Downgrades can occur even on locked bootloaders & without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS. In addition, a physical attacker can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).

getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
  abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]

PoC can be found here.

Timeline

  • 11-May-17
    : Public disclosure.
  • 10-May-17
    : Deadline Extension.
  • 26-Apr-17
    : Deadline.
  • 09-Apr-17
    : 14-day Deadline Extension Offered (no reply).
  • 01-Mar-17
    : Added as ALEPH-2017008.
  • 10-Feb-17
    : CVE-2017-5948 assigned.
  • 09-Feb-17
    : CVE ID requested.
  • 26-Jan-17
    : Reported.

Posts

Credit