Follow Zuk Avraham (@ihackbanme)
Follow Nicolas Trippar (@ntrippar)
Following our announcement on the N-Days Exploit Acquisition Program for smartphones, we are delighted to share the first couple of submissions. We received many submissions and we’re in the process of sharing them with ZHA followed by a public disclosure. We plan to release additional EOPs, RCEs and Infoleaks purchased through Zimperium N-Days EAP in the next few months. If you have a mobile N-Day exploit that you would like to monetize, or would like to practice on exploitation and get paid for it – check out the submission guidelines in our N-Days Exploit Acquisition Program announcement. We encourage all partners of ZHA to share exploit submissions for better collaboration between all those involved in making our mobile devices safer.
Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360
Download Exploit (password zimperium_ndays)
Vulnerable file drivers/gpu/nvgpu/gk20a/channel_gk20a.c
When we perform an IOCTL operation on /dev/nvhost-gpu with cmd NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER it calls function gk20a_init_error_notifier. This function does not validate args->offset from userspace leading to elevation of privileges to the context of the kernel.
- mmap a memory in userland, set args->offset a number to let va + args->offset overflow to this range of memory in userland. as a result we can calculate the value of va.
- set va + args->offset to the address of ptmx_fops, to set the value of ptmx_cdev->ops from 0xffffffc0010aa420 to 0x00000000010aa420. 0x00000000010aa420 is a user space address. As a result, we can modify ptmx_cdev->ops to a fake ops pointer that can be controlled by a userspace application.
- set ptmx_cdev->ops->ioctl to a ROP read or write kernel gadget to read 8 bytes from arbitrary kernel address or write 4 bytes to arbitrary kernel address.
- After achieving read8 and write4 capabilities, the path to get elevated privileges and disabling of selinux is clear.