Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researcher Publishes PoC Exploit for Recent Android Zero-Day

A security researcher has published a proof-of-concept (PoC) exploit for the recently addressed Android zero-day vulnerability that impacts Pixel 2 devices.

A security researcher has published a proof-of-concept (PoC) exploit for the recently addressed Android zero-day vulnerability that impacts Pixel 2 devices.

Tracked as CVE-2019-2215, the existence of this vulnerability was made public at the beginning of October, when Google Project Zero security researcher Maddie Stone revealed that attackers had already been targeting vulnerable devices.

At the time, the researcher also said that the information she had was pointing to an exploit used by Israeli spyware company NSO, which is known for building the infamous iOS malware Pegasus.

The vulnerability had been previously addressed in December 2017 in version 4.14 of the Linux kernel, but a CVE was not assigned at the time. The Android Open Source Project (AOSP) 3.18 kernel, AOSP 4.4 kernel, and AOSP 4.9 kernel also included the patch.

However, fully patched Pixel 1 and Pixel 2 devices, as well as Huawei P20; Xiaomi Redmi 5A, Redmi Note 5, and A1; Oppo A3; Motorola Moto Z3; LG phones running Android 8 Oreo; and Samsung Galaxy S7, S8 and S9 were found to be vulnerable.

Last week, Google released its October 2019 set of security patches for Android, and said at the time that Pixel 1 and Pixel 2 phones will receive a fix for CVE-2019-2215 as part of the October update.

This week, Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, published a blog post containing a working proof-of-concept exploit targeting the vulnerability.

“The base PoC left us with a full kernel read/write primitive, essentially game over for the systems’ security, but left achieving root as an exercise for the reader,” the researcher notes.

Advertisement. Scroll to continue reading.

To get a full root shell, one would need to bypass the multiple layers of enforcement the Android platform features, including Discretionary Access Control (DAC), Mandatory Access Control (MAC), Linux Capabilities (CAP), and Secure Computing Mode (SECCOMP).

“On a modern Android system, this is a significant undertaking without a kernel vulnerability. But with an app accessible kernel exploit, we have the ability to bypass or disable all of these with relative ease,” Hernandez says.

The researcher also published details on how DAC and CAP can be bypassed and how SELinux and SECCOMP can be disabled, essentially providing all of the necessary information on how an attacker could abuse the exploit to achieve root on a vulnerable device.

The necessary code is available on GitHub. Once compiled, it provides users with an application targeting CVE-2019-2215.

Related: Google Patches Remote Code Execution Bugs in Android 10

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.