Kernel vulnerabilities in Android devices using Qualcomm chips explored

Updated: The security flaws that allowed attackers to achieve root capabilities on handsets have now been described in detail.

Open-source security: More vulnerabilities are being found than ever before
1:09

A detailed analysis of two critical vulnerabilities impacting Android devices powered by Qualcomm chips has been published.

The two security flaws, tracked as CVE-2019-14040 and CVE-2019-14041, affected all Android devices with Qualcomm chipsets and could be exploited to give a malicious application full root capabilities. 

Zimperium's zLabs research team originally reported the security issues to Qualcomm on July 31, 2019. A proof-of-concept (PoC) was sent to the US chip giant on August 4, and a month later, Qualcomm sent patches to Android vendors. 

After vendors were given enough time to deploy the security fix to customers, a February security bulletin was published by Qualcomm. 

See also: Zoom security: Your meetings will be safe and secure if you do these 10 things

Now fixes have been made readily available, Zimperium has released PoC code to GitHub (1, 2) and has given us an insight into the kernel vulnerabilities. 

In the Android environment, a driver exists called QTI Secure Execution Environment Communicator (QSEECOM), which manages processes that need to communicate with the TrustZone. 

The first vulnerability, CVE-2019-14041, is a race condition problem steeming from a buffer update function that is sent to the TrustZone with pointers. 

An API exposed by QSEECOM is made up of ioctls calls to the /dev/qseecom device. In order to prevent duplication, the buffer update function can be reached via two completely different ioctls and behaves differently in each scenario. While doing so, the function checks data->type, and simply by querying this call, it was possible to corrupt memory. 

The second vulnerability, CVE-2019-14040, is a use-after-free flaw in kernel memory mapping. Zimperium says the ION mechanism -- used in mapping -- "allows user-space processes to allocate memory out of special heaps which behave differently than other regular memory," and as a result, it is not only user-space processes that can map or read/write memory space. 

Instead, the same function that could be abused through the previous security flaw can also be used to ensure the kernel can also modify the same information. 

TechRepublic: Scammers exploit coronavirus for Business Email Compromise campaigns

When an allocated ION buffer is referenced, some parameters including handles are saved. While requests are checked before proceeding, the team found that it was possible to extend the length of a request to the point that it was possible to bypass standard validity checks and compromise kernel mapping and code execution. 

The researchers say that when combined with an attack chain of other vulnerabilities -- CVE-2017-13253, CVE-2018-9411 and CVE-2018-9539 -- malicious apps can also seize root powers, leading to a range of attacks including sensitive data and credential theft, the deployment of additional malware, and surveillance including eavesdropping on private calls and taking control of a handset's camera and microphone. 

CNET: Zoom: Hackers reportedly put $500K price tag on latest security exploit

"These vulnerabilities could allow an attacker to reach full root/kernel privileges," zLabs says. "Especially the use after free, as that one is way more reliable than the race condition. In theory, it could be possible for a completely unprivileged attacker to create a chain out of these vulnerabilities in order to achieve complete root privileges."

Update 16.31 GMT: A Qualcomm spokesperson told ZDNet:

"Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the research published by Zimperium, we issued fixes to OEMs in November 2019 and have seen no evidence of exploitation. We commend the security researchers for using industry-standard coordinated disclosure practices, and we encourage end users to update their devices as patches become available from OEMs."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0