<--

OnePlus OTA OxygenOS/HydrogenOS Crossover Vulnerability

Aleph Research Advisory

Identifier

Severity

Critical

Products

  1. OnePlus 3T
  2. OnePlus 3
  3. OnePlus 2
  4. OnePlus X
  5. OnePlus One

Vulnerable Version

All OnePlus OxygenOS & HydrogenOS OTAs

Technical Details

Due to lenient updater-script in the OnePlus OTA images (see below), and the fact both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which allows for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).

updater-script of the OnePlus 3T OxygenOS 4.1.3 OTA:

getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
  abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]

updater-script of the OnePlus 3T HydrogenOS 3.0.0 OTA:

getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
  abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]

PoC can be found here.

Timeline

  • 11-May-17
    : Public disclosure.
  • 10-May-17
    : Deadline Extension.
  • 08-May-17
    : CVE-2017-8850 assigned.
  • 08-May-17
    : CVE ID requested.
  • 08-May-17
    : Added as ALEPH-2017020.
  • 26-Apr-17
    : Deadline.
  • 09-Apr-17
    : 14-day Deadline Extension Offered (no reply).
  • 26-Jan-17
    : Reported.

Posts

Credit