mercredi 11 janvier 2017

OnePlus 3/3T Bootloader Vulnerability Allows Changing of SELinux to Permissive Mode in Fastboot

The OnePlus 3 and the OnePlus 3T are among the best phones you could purchase right now. The flagships of 2017 are yet to be revealed to the market and consumers, and in their absence, the OnePlus 3/3T dominate real world performance at an affordable price segment.

But, if we are to be fair in assessing the device, we need to acknowledge that despite OnePlus's best efforts, the OnePlus 3/3T are not without faults. Even on the software end, we've reported on security issues like OnePlus leaking IMEI details when you check for updates on your phone. And now, we have another serious addition to the list, one with vastly more dangerous ramifications.

A vulnerability in the bootloader of the OnePlus 3/3T opens up doors to malicious attacks. As found by Roee Hay of the IBM X-Force Application Security Research Team and revealed on the IBM X-Force Exchange platform, this vulnerability allows an attacker to manipulate the SELinux state on the devices, toggling it to permissive mode. All that the attacker needs is either physical access to the device, or remote access to an ADB connection to the device.

SELinux, or Security-Enhanced Linux is a linux kernel security module, allows for access and management of security policies on systems. SELinux was introduced in Android 4.3, and was set into Enforcing mode as default since Android 4.4. This mandatory access control system helps enforce the existing access control rights, and attempts to prevent privilege escalation attacks. This acts as a hurdle for unauthorized control over your device, such as an app or vulnerability aiming to get root access maliciously on your device without your knowledge. Setting it to Enforcing by default across Android as an OS serves as the first step to protect normal users from such attacks.

The vulnerability is rather straightforward to exploit — in fact, it looks to be a huge oversight rather than exploit. First, an attacker reboots the OnePlus 3/3T into 'fastboot' mode — if you have physical access, simply press Volume-Up button during device boot, and if you don't, you can issue the ADB command adb reboot bootloader to the device. The fastboot mode on the device exposes a USB interface, which should not allow any security sensitive operation to complete on locked devices. But on the OnePlus 3/3T, simply issuing the fastboot oem selinux permissive command through the fastboot interface toggles the SELinux mode from Enforcing to Permissive.

  fastboot oem selinux permissive  ...  OKAY [  0.045s]  finished. total time: 0.047s    ....    OnePlus3:/ $ getenforce  Permissive  OnePlus3:/ $    

To further complicate the problem, the OnePlus 3 and 3T do not possess any entry in the 'About Screen' to mention the current SELinux state of the device. A victim will continue to remain oblivious to the compromised state of his device if he had no knowledge of such compromise ever occurring. The lack of SELinux state entry in the 'About Screen' is missing from both the Android 6.0 based Open Beta releases, as well as Android 7.0 official ROMs.

screenshot_20170111-090435 screenshot_20170111-090437 screenshot_20170111-090448 screenshot_20170111-090444

Several apps exist to toggle SELinux state to Permissive, like the SELinux Mode Change app. This change exists only across soft reboots. You can utilize scripts to maintain the Permissive state across hard reboots. Both of these methods require root access, which implies that the user has knowledge of the risks he is exposed to. But the change to Permissive using the above vulnerability not only persists across hard reboots, it does so without needing root access.

No remedies exist against the vulnerability as of January 2017.

We hope OnePlus publicly acknowledges the serious issue and is transparent in their plans towards fixing it.



from xda-developers http://ift.tt/2jE9001
via IFTTT

Aucun commentaire:

Enregistrer un commentaire