The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as CVE-2017-5948, CVE-2017-8850 & CVE-2017-8851.
OxygenOS & HydrogenOS send the following JSON request to http://otac.h2os.com/post/Query_Update
or to http://i.ota.coloros.com/post/Query_Update
in order to check if a new OTA is available:
{
"beta": "0",
"imei": "<IMEI>",
"isOnePlus": "1",
"language": "en",
"mobile": "ONEPLUS A3010",
"mode": "0",
"ota_version": "<CURRENT_VERSION>",
"type": "1",
"version": "1"
}
For example, on a OnePlus 3T device running OxygenOS 4.1.1 this results in the following response, announcing that a 4.1.3 OTA is available:
{
"active_url": "http://otafsc1.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
"description": "https://otafsc.h2os.com/html/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011_version_EN_1492072442240.html",
"down_url": "http://otafsc.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
"extract": "#OS Version: OnePlus3TOxygen_28_170411\n##WHAT'S NEW\n\\\n\u2022 Upgraded Android 7.1.1 \n\\\n\u2022 Added expanded screenshots \n\\\n\u2022 Improved picture taking of moving objects\n with blur reduction \n\\\n\u2022
Improved video stability when recording\n\\\n\u2022 Improved WiFI connectivity \u00a0\n\\\n\u2022 Improved bluetooth connectivity \n\\\n\u2022 Fixed Instagram swiping bug\n\\\n\u2022 Fixed hardware
buttons\u00a0malfunction\u00a0bug\n\\\n\u2022 Increased system stability\n\\\n\u2022 General bug fixes\n [www.oneplus.net](http://www.oneplus.net/)",
"new_version": "OnePlus3TOxygen_28.A.51_GLO_051_1704112011",
"patchFilePath": "/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
"patch_md5": "031507863135b7008c2651ea461d0e9e",
"patch_name": "OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
"patch_size": "1461187808",
"recommend": "100",
"share": "\u8bf7\u7528\u82f1\u8bed\u8bbe\u7f6e\u5206\u4eab\u5185\u5bb9",
"type": "1",
"version_name": "OnePlus3TOxygen_28_1704112011",
"wipe": "0"
}
Man-in-the-Middle attackers can therefore spoof this response in order to exploit CVE-2017-5948, CVE-2017-8850 & CVE-2017-8851.
PoC can be found here.