<--

OnePlus OTA One/X Crossover Vulnerability

Aleph Research Advisory

Identifier

Severity

High

Products

  1. OnePlus X

  2. OnePlus One

Vulnerable Version

All OnePlus OxygenOS & HydrogenOS OTAs

Technical Details

Due to lenient updater-script on the OnePlus One & X’s OTA images (see below), the fact both products use the same OTA verification keys, and the fact both products share the same ro.build.product system property, attackers can install OTAs of one product over the other, even on locked bootloaders. That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use adb sideload to push the OTA.

updater-script of the latest OnePlus X OxygenOS OTA:

getprop("ro.build.product") == "OnePlus" || abort("This package is for \"OnePlus\" devices; this is a \"" + getprop("ro.build.product") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/platform/msm_sdcc.1/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat");

updater-script of the OnePlus One OxygenOS OTA:

getprop("ro.build.product") == "OnePlus" || getprop("ro.build.product") == "ONE" || abort("This package is for \"OnePlus\" devices; this is a \"" + getprop("ro.build.product") + "\".");
ifelse(is_mounted("/system"), unmount("/system"));
mount("ext4", "EMMC", "/dev/block/platform/msm_sdcc.1/by-name/system", "/system", "");
unmount("/system");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");

PoC can be found here.

Timeline

  • 11-May-17
    : Public disclosure.
  • 10-May-17
    : Deadline Extension.
  • 08-May-17
    : CVE-2017-8851 assigned.
  • 08-May-17
    : CVE ID requested.
  • 08-May-17
    : Added as ALEPH-2017021.
  • 26-Apr-17
    : Deadline.
  • 09-Apr-17
    : 14-day Deadline Extension Offered (no reply).
  • 26-Jan-17
    : Reported.

Posts

Credit