N-Days Exploits: NDAY-2017-0103 Arbitrary kernel write in sys_oabi_epoll_wait

Share this blog
  • zNID: NDAY-2017-0103
  • CVE: CVE-2016-3857
  • Type: Elevation of Privileges
  • Platform: Android < 6.0
  • Device type: Huawei MT7-UL00, Nexus 7
  • Zimperium protection: Detected the exploit without an update. Zimperium partners and customers do not need to take any action to detect this exploit on all affected devices.
  • Android bulletinhttps://source.android.com/security/bulletin/2016-08-01.html
  • Public release date: 25th of May, 2017
    Credit: Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360

Download Exploit (password zimperium_ndays)

Vulnerability Details

Vulnerable file drivers/video/tegra/host/bus_client.c
This bug is in the function `sys_oabi_epoll_wait`. It exist before android 6.0 when `CONFIG_OABI_COMPAT` is set. So it is just for some special device, for example Nexus 7 (2013) and Huawei MT7-UL00.
In the function `sys_oabi_epoll_wait`, `__put_user_error` does not validate the pointer events which is from userland. So if we set events to a kernel address, it can lead to kernel arbitrary write.

Exploitation

  1. prepare shellcode address to `event.data`, and this event to epoll by command `EPOLL_CTL_ADD`.
  2. set kernel address of `ptmx_fops->fsync` to event, and then call `sys_oabi_epoll_wait` to trigger the bug. so `__put_user_error` will rewrite `ptmx_fops->fsync` to the address of shellcode.
  3. call `fsync()` on device `/dev/ptmx` to run the shellcode to get elevate privileges and disable selinux.

[gist url=”https://gist.github.com/ntrippar/aab5c81c1f3ab509ee6dee2652bc2a31.js”][/gist]

Avatar photo
Author: zLabs

Get started with Zimperium today