More than 900 million Android devices that use Qualcomm chipsets are exposed to a set of four vulnerabilities called QuadRooter, Check Point security researchers warn.
The four security bugs allow an attacker to trigger privilege escalation exploits to gain root access to vulnerable devices, researchers say. Although QuadRooter affects only smartphones and tablets built using Qualcomm chipsets, the 65% share of the LTE modem baseband market that Qualcomm enjoys at the moment results in an impressively high number of devices being affected.
In fact, Check Point researchers explain that some of the most popular Android-based smartphones are vulnerable because they use Qualcomm chipsets, including the BlackBerry Priv, Blackphone 1 and Blackphone 2, Google Nexus 5X, Nexus 6 and Nexus 6P, HTC One, HTC M9 and HTC 10, LG G4, LG G5, and LG V10, New Moto X by Motorola, OnePlus One, OnePlus 2 and OnePlus 3, Samsung Galaxy S7 and Samsung S7 Edge, and Sony Xperia Z Ultra.
According to Check Point, unique vulnerabilities affect four different modules, but each vulnerability impacts the entire operating system. The affected modules include IPC Router (inter-process communication), Ashmem (Android kernel anonymous shared memory feature), kgsl (Kernel Graphics Support Layer) and kgsl_sync (Kernel Graphics Support Layer Sync).
The ipc_router module was designed to offer inter-process communication for various Qualcomm components, user mode processes, and hardware drivers; Ashmem is Android’s propriety memory allocation subsystem, which enables processes to share memory buffers efficiently; kgsl is a kernel driver (Qualcomm GPU component) that has multiple modules, including kgsl_sync, which is responsible for synchronization between the CPU and apps.
The first of the four bugs is CVE-2016-2059, where the ipc_router kernel module opens an AF_MSM_IPC socket that adds propriety features to the normal IPC functionality. The socket always starts by default as a regular endpoint and an attacker issuing an IOCTL on a regular socket can convert it to a monitoring socket, Check Point researchers note in their vulnerability report (PDF).
The second issue, CVE-2016-5340, affects the modified ashmem system present on devices based on Qualcomm chipsets, and was discovered in the is_ashmem_file function, researchers say. Because the function doesn’t properly check the file type, an attacker can use Obb, a deprecated feature in Android, to create a file named ashmem on top of a file system and then mount their own file system. The attacker can create a file called “ashmem” in the root directory and trick the system into using it as the genuine ashmem file.
The remaining two vulnerabilities are CVE-2016-2503 and CVE-2106-2504, two use after free due to race conditions in KGSL, researchers explain. CVE-2016-2503 was found in the ‘destroy’ function, which can be called simultaneously by two parallel threads, which could make the kernel force a context switch in one thread.
The CVE-2016-2504 vulnerability was found in the kgsl when a module creates an object called kgsl_mem_entry (representing a GPU memory). A user-space process can both allocate and map memory to the GPU, thus creating and destroying a kgsl_mem_entry. The system binds the allocated object to the process, and, because there’s no access protection enforced, an attacker can use another thread to free this object, invoking a use-after-free flaw.
Check Point researchers also explain that these vulnerabilities are found in Qualcomm’s software drivers that are pre-installed on devices, meaning that only the distributor or carrier can patch them, but only after Qualcomm issues fixed driver packs. Qualcomm was informed on these flaws in April and has confirmed that patches have been released for them, the researchers say.
“An attacker can exploit these vulnerabilities using a malicious app. These apps require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” the security researchers note.
Over the past few months, Google’s monthly Android patches have included a large number of fixes for vulnerabilities in Qualcomm drivers, after serious vulnerabilities in the company’s software were found to expose user data or to break Android’s full disk encryption. Even so, the vast majority of Android devices don’t have the latest security patches.