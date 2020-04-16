A detailed analysis of two critical vulnerabilities affecting Android devices powered by Qualcomm chips has been published.

The two security flaws, traced as CVE-2019-14040 and CVE-2019-14041, affected all Android devices with Qualcomm chipsets and could be exploited to provide malicious application of all root features.

Zimperium’s zLabs research team originally reported security issues to Qualcomm on July 31, 2019. A proof of concept (PoC) was sent to the US chip giant on August 4, and one month Qualcomm then patched Android vendors.

After suppliers had enough time to implement the security solution for their customers, Qualcomm released a security bulletin in February.

Fixes are now easily available, Zimperium has released the PoC code on GitHub (1, 2) and it has provided us with an insight into the kernel vulnerabilities.

In Android, there is a driver called QTI Secure Execution Environment Communicator (QSEECOM), which manages the processes that must communicate with TrustZone.

The first vulnerability, CVE-2019-14041, is a race condition problem arising from a buffer update feature that is sent to TrustZone with flags.

An API exposed by QSEECOM consists of ioctls calls to the / dev / qseecom device. In order to avoid duplication, the buffer refresh function can be reached by two completely different ioctls and behave differently in each scenario. While doing so, the function checks the data type> and by simply querying this call it was possible to corrupt the memory.

The second vulnerability, CVE-2019-14040, is a free-use flaw after kernel memory mapping. Zimperium says ION (used in mapping) “allows user space processes to allocate memory to special piles that behave differently than other regular memory” and, as a result, not only spaces can be processed. space for users. or read / write memory space.

Instead, the same feature that could be abused through the previous security flaw can also be used to ensure that the same information can be modified by the kernel as well.

When referencing an assigned ION buffer, some parameters including the handles will be saved. Although the requests were checked before proceeding, the team found that it was possible to extend the length of a request to the extent that it was possible to bypass standard validation checks and compromise kernel mapping. and the execution of the code.

Researchers say that when combined with a string of attacks on other vulnerabilities – CVE-2017-13253, CVE-2018-9411 and CVE-2018-9539 – malicious applications can also take root power, triggering a series of attacks including sensitive. data theft and credentials, additional malware deployment, and surveillance, including the monitoring of private calls and the camera and microphone control of a mobile phone.

“These vulnerabilities could allow an attacker to reach full root / kernel privileges,” says zLabs. “Especially the use after free as it is much more reliable than the state of the race. In theory, it might be possible for a completely non-privileged attacker to create a chain outside of these vulnerabilities to achieve complete root privileges. ”

Update 16.31 GMT: A Qualcomm spokesman told ZDNet:

“Providing technologies that support robust security and privacy is a priority for Qualcomm. Regarding the research published by Zimperium, we issued corrections to OEMs in November 2019 and have not seen any evidence of exploitation. security researchers for using industry standard coordinated disclosure, practices, and encourage end-users to upgrade their devices as patches become available from OEMs. “

