Vulnerabilities
作者:retme 发布时间:May 24, 2016
This page shows the vuls I've found on Kernel and TEE of Android.
Well...This page does NOT show all the bugs I've found before. I'm not a fan of bug reporting these years. I'll always keep some exploitable bugs in private.
CVE-2015-4421
The tzdriver module of Huawei Mate 7 smartphone has an input check error, which allows the user-mode application to modify kernel-mode memory data and maybe make system break down or application elevate privilege. (Vulnerability ID: HWPSIRT-2015-03011)
CVE-2015-4422
The TEEOS module of Huawei Mate 7 smartphone which is used to realize the function of fingerprint identification has an input check error, which enables the attackers with the root permission to modify kernel-mode memory data of TEEOS module, which could make system break down, TEEOS be tampered or malicious code execution. (Vulnerability ID: HWPSIRT-2015-03012)
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-432799.htm
- Black Hat USA 2015 Slides
https://www.blackhat.com/docs/us-15/materials/us-15-Shen-Attacking-Your-Trusted-Core-Exploiting-Trustzone-On-Android.pdf
CVE-2016-2468
OOB write in Qualcomm MSM GPU driver
-
Bulletin
https://source.android.com/security/bulletin/2016-06-01.html#acknowledgements -
patch:
https://android.googlesource.com/kernel/msm/+/fb17eb73640b869ed4920791af1dfd680026fd49%5E%21/#F0 - Disclosure
http://retme.net/index.php/2016/06/12/CVE-2016-2468.html
CVE-2016-3762
Untrusted App cannot create AF_MSM_IPC or other undefined socket any more...
-
Bulletin
https://source.android.com/security/bulletin/2016-07-01.html#acknowledgements - Patch
https://android.googlesource.com/platform/external/sepolicy/+/abf0663ed884af7bc880a05e9529e6671eb58f39
CVE-2016-3842
Use-after-free vulnerability in Qualcomm MSM GPU driver.
-
Disclosure
http://retme.net/index.php/2016/08/11/cve-2016-3842.html - Patch
https://android.googlesource.com/kernel/msm/+/973f4134d9deb396415846f902848f0a32cb4cfa
CVE-2016-6776
CVE-2016-6787
Use-after-free vulnerability in perf subsystem which effected all Android devices. Fully working rooting exploit has been worked out.
-
Bulletin:
https://source.android.com/security/bulletin/2016-12-01.html#acknowledgements -
UPSTREAM patch:
https://android.googlesource.com/kernel/msm/+/5b87e00be9ca28ea32cab49b92c0386e4a91f730 - EXPLOIT demo:
https://twitter.com/vangelis_at_POC/status/748728249295867904 - EXPLOIT explanation
https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel
CVE-2016-8412
CVE-2016-8427
CVE-2016-8444
CVE-2017-0403
Use-after-free vulnerability in perf subsystem which effected all Android devices. Fully working rooting exploit has been worked out.
- Bulletin:
https://source.android.com/security/bulletin/2017-01-01.html#acknowledgements - EXPLOIT explanation
https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel
CVE-2017-0427
CVE-2017-0334
CVE-2017-0456
CVE-2017-0457
CVE-2017-0525
- Bulletin:
https://source.android.com/security/bulletin/2017-03-01.html - Description:
Worthless.
CVE-2016-10287
- Bulletin:
https://source.android.com/security/bulletin/2017-05-01 - Description:
Worthless.
CVE-2017-8265
- Bulletin:
https://source.android.com/security/bulletin/2017-07-01 - Description:
Worthless.
CVE-2017-15316
- Bulletin:
https://www.huawei.com/uk/psirt/security-advisories/2017/huawei-sa-20171201-01-smartphone-en - Description:
Exploitable double free in mali driver. Used in Mobile Pwn2own 17'. - EXPLOIT demo:
https://www.youtube.com/watch?v=UMrNQ1bnEBA - EXPLOIT explanation
TBD
CVE-2019-2298
- Bulletin:
https://source.android.com/security/bulletin/pixel/2019-09-01 - Description:
Worthless.
CVE-2019-16508
https://www.cvedetails.com/cve/CVE-2019-16508/
- Exploitable on Chrome OS. Part of our Chrome pwnium exploit chain. SLIDES
评论已关闭