OnePlus OTA Lack of TLS Vulnerability

Aleph Research Advisory

Identifier

CVE-2016-10370

Severity

High

Summary

The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs (due to the digital signature), it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as CVE-2017-5948, CVE-2017-8850 & CVE-2017-8851.

Technical Details

OxygenOS & HydrogenOS send the following JSON request to http://otac.h2os.com/post/Query_Update or to http://i.ota.coloros.com/post/Query_Update in order to check if a new OTA is available:

{
    "beta": "0",
    "imei": "<IMEI>",
    "isOnePlus": "1",
    "language": "en",
    "mobile": "ONEPLUS A3010",
    "mode": "0",
    "ota_version": "<CURRENT_VERSION>",
    "type": "1",
    "version": "1"
}

For example, on a OnePlus 3T device running OxygenOS 4.1.1 this results in the following response, announcing that a 4.1.3 OTA is available:

{
    "active_url": "http://otafsc1.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "description": "https://otafsc.h2os.com/html/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011_version_EN_1492072442240.html",
    "down_url": "http://otafsc.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "extract": "#OS Version: OnePlus3TOxygen_28_170411\n##WHAT'S NEW\n\\\n\u2022 Upgraded Android 7.1.1 \n\\\n\u2022 Added expanded screenshots \n\\\n\u2022 Improved picture taking of moving objects\n  with blur reduction \n\\\n\u2022
Improved video stability when recording\n\\\n\u2022 Improved WiFI connectivity \u00a0\n\\\n\u2022 Improved bluetooth connectivity \n\\\n\u2022 Fixed Instagram swiping bug\n\\\n\u2022 Fixed hardware
buttons\u00a0malfunction\u00a0bug\n\\\n\u2022 Increased system stability\n\\\n\u2022 General bug fixes\n  [www.oneplus.net](http://www.oneplus.net/)",
    "new_version": "OnePlus3TOxygen_28.A.51_GLO_051_1704112011",
    "patchFilePath": "/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "patch_md5": "031507863135b7008c2651ea461d0e9e",
    "patch_name": "OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "patch_size": "1461187808",
    "recommend": "100",
    "share": "\u8bf7\u7528\u82f1\u8bed\u8bbe\u7f6e\u5206\u4eab\u5185\u5bb9",
    "type": "1",
    "version_name": "OnePlus3TOxygen_28_1704112011",
    "wipe": "0"
}

Man-in-the-Middle attackers can therefore spoof this response in order to exploit CVE-2017-5948, CVE-2017-8850 & CVE-2017-8851.

PoC can be found here.

Timeline

11-May-17
: Public disclosure.
10-May-17
: Deadline Extension.
08-May-17
: CVE-2016-10370 assigned.
08-May-17
: CVE ID requested.
08-May-17
: Added as ALEPH-2017022.
26-Apr-17
: Deadline.
09-Apr-17
: 14-day Deadline Extension Offered (no reply).
26-Jan-17
: Reported.

Posts

OnePlus OTAs: Analysis & Exploitation
By Roee Hay,
11-May 2017

Credit

Sagi Kedmi (@sagikedmi)

External References

OTA and IMEI over HTTP