Uncategorized

initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection

initroot: Bypassing Nexus 6 Secure Boot through Kernel Command-line Injection
By Roee Hay (@roeehay)
In the May 2017 Android Security Bulletin, Google released a patch to a critical and unique vulnerability CVE-2016-10277 in the Nexus 6 bootloader we had found and responsibly disclosed. By exploiting the vulnerability, a physical adversary or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device (such as PC malware awaiting for an ADB-authorized developer’s device to be hooked via USB) could break the Secure/Verified Boot mechanism, allowing him to gain unrestricted root privileges, and completely own the user space (which may also lead much more), by loading a tampered or malicious initramfs image. Moreover, exploitation does not lead to a factory reset hence user data remains intact (and still encrypted). It should be noted that we do not demonstrate an untethered attack. During this research we also uncovered a 18-year-old Linux Kernel bug (not affecting Nexus 6 and probably does not affect any Android device): CVE-2017-1000363[…]

https://alephsecurity.com/2017/05/23/nexus6-initroot/

Standard
Uncategorized

IBM on attacking Android Custom Boot Modes

IBM’s SecurityIntelligence has a story on attacking Android’s Custom Boot Modes.

Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes
By Roee Hay
Co-authored by Michael Goberman.

In recent months, the X-Force Application Security Research Team has discovered several previously undisclosed Android vulnerabilities. The November 2016 and January 2017 Android Security Bulletins included patches to one high-severity vulnerability, CVE-2016-8467, in Nexus 6 and 6P. Our new paper, “Attacking Nexus 6 & 6P Custom Bootmodes,” discusses this vulnerability as well as CVE-2016-6678.[…]

https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/

Standard
Uncategorized

Android Nexus 5 Monitor Mode

Vincent recently tweeted this pointer to a blog from Frédéric Basse, talking about Android Nexus 5’s Monitor Mode:

Analysis of Nexus 5 Monitor mode
This article will first describe how to locate the Monitor mode code in Nexus 5 firmware (hammerhead-ktu84p-factory-35ea0277, bootloader-hammerhead-hhz11k : c32f8bec310c659c1296739b00c6a8ac). Then, we will try to understand what it does (its functionalities). Finally, you will have to find bugs by yourself because I didn’t find any…so far !
[…]

Full article:
http://www.fredericb.info/2014/12/analysis-of-nexus-5-monitor-mode.html?spref=tw

Standard
Uncategorized

February’s Google Nexus security bulletin is out

The Google Nexus Security team has released their monthly security bulletin.

We have released a security update to Nexus devices through an over-the-air (OTA) update as part of our Android Security Bulletin Monthly Release process. The Nexus firmware images have also been released to the Google Developer site. Builds LMY49G or later and Android M with Security Patch Level of February 1, 2016 or later address these issues. Refer to the Nexus documentation for instructions on how to check the security patch level.
[…]
We would like to thank these researchers for their contributions:
* Android and Chrome Security Team: CVE-2016-0809, CVE-2016-0810
* Broadgate Team: CVE-2016-0801, CVE-2015-0802
* David Riley of the Google Pixel C Team: CVE-2016-0812
* Dongkwan Kim (dkay@kaist.ac.kr) of System Security Lab, KAIST: CVE-2015-6614
* Gengjia Chen (@chengjia4574) of Lab IceSword, Qihoo 360: CVE-2016-0805
* Hongil Kim (hongilk@kaist.ac.kr) of System Security Lab, KAIST: CVE-2015-6614
* Qidan He (@Flanker_hqd) of KeenLab (@keen_lab), Tencent: CVE-2016-0811
* Seven Shen (@lingtongshen) of Trend Micro (www.trendmicro.com): CVE-2016-0803
* Weichao Sun (@sunblate) of Alibaba Inc: CVE-2016-0808
* Zach Riggle (@ebeip90) of the Android Security Team: CVE-2016-0807
[…]

See the full bulletin for specifics on each of the CVEs:

https://source.android.com/security/bulletin/2016-02-01.html

Standard
Uncategorized

Google Android Nexus debug cable is open source

Google has specs for the Nexus debug cable:

USB debug cable design documents:  Eagle schematics and PCB, gerber files, and BOM for a debug cable
for the headset serial port found on most Nexus devices.

https://android.googlesource.com/device/google/debugcable/+/master

Standard
Uncategorized

Android Nexus security updates for November

Google is continuing it’s new policy of monthly Android updates for it’s Nexus line.

CVE-2015-6608, Critical, Remote Code Execution Vulnerabilities in Mediaserver
CVE-2015-6609, Critical, Remote Code Execution Vulnerability in libutils
CVE-2015-6611, High, Information Disclosure Vulnerabilities in Mediaserver
CVE-2015-6610, High, Elevation of Privilege Vulnerability in libstagefright
CVE-2015-6612, High, Elevation of Privilege Vulnerability in libmedia
CVE-2015-6613, High, Elevation of Privilege Vulnerability in Bluetooth
CVE-2015-6614, Moderate, Elevation of Privilege Vulnerability in Telephony

https://groups.google.com/forum/#!msg/android-security-updates/n1aw2MGce4E/jhpVEWDUCAAJ
https://source.android.com/devices/tech/security/enhancements/enhancements60.html

In somewhat-related Android security news, there is a new design-time vulnerability:

http://blog.trendmicro.com/trendlabs-security-intelligence/setting-the-record-straight-on-moplus-sdk-and-the-wormhole-vulnerability/
http://www.itproportal.com/2015/11/03/android-sdk-vulnerability-leaves-100-million-users-at-risk/

 

Standard
Uncategorized

Nexus status update

Tom’s Hardware has an article with an interview of a few Nexus engineers, talking about upcoming releases:

Nexus Engineers Reveal More Nexus 5X, Nexus 6P Details
by Lucian Armasu

Four members of the Google Nexus team, including Hiroshi Lockheimer, David Burke, Krishna Kumar and Sandeep Waraich, took the time to answer questions from Nexus 5X and Nexus 6P fans about the two new phones. Here’s a summary of the most important details. […]

http://www.tomshardware.com/news/nexus-5x-nexus-6p-ama,30208.html#xtor=RSS-999

Standard