PoC Publishes Researcher’s Latest Android Zero-Day Exploit

Android

A security investigator has released a Proof of Concept (PoC) exploit for Android’s newly addressed zero-day vulnerability affecting Pixel 2 devices.

Tracked as CVE-2019-2215, the vulnerability was identified in early October by Google Project Zero security researcher Maddie Stone, who confirmed that compromised devices have already been attacked by attackers.

The researcher then also said that the information she had suggested the backdoor that Israel’s spyware company NSO used to develop Pegasus’ notoriousiOS malware.

The vulnerability was previously fixed in version 4.14 of the Linux kernel in December 2017, but a CVE was not assigned at that time. The update was also included in the Android Open Source Project (AOSP) 3.18 kernel, the AOSP 4.4 kernel and the AOSP 4.9 kernel.

Fully patched Pixel 1 and Pixel 2, as well as Huawei P20, are found to be vulnerable to Xiaomi Redmi 5A, Redmi Note 5 and A1. Oppo A3; Motorola Moto Z3; LG phones running Android 8 Oreo; and Samsung Galaxy S7, S8 and S9.

Last week Google released a set of security patches for Android in October 2019 and said that Pixel 1 and Pixel 2 devices would be patched for CVE-2019-2215 during the October update.

Grant Hernandez, a PhD candidate at the University of Florida’s Florida Institute of Cyber Security, posted the blog post this week, which features a working proof of concept exploit aimed at vulnerability.

“The simple PoC left us with a complete kernel read / write primitive, basically a system security match, but left us root as a reading exercise,” states the author.

To get a completely rooted shell, one must overcome the multiple layers of Android system security features, including DAC, Mandatory Access Control, Linux Capabilities, and Secure Computing Mode (SECCOMP).

“This is a major undertaking without kernel instability on a modern Android system. Nonetheless, we can easily circumvent or disable all of these with a device accessible kernel exploit, “says Hernandez.

Information on how DAC and CAP can also be prevented and how SELinux and SECCOMP can be disabled have also been published by the author, essentially providing details on how an attackers can misuse the vulnerability to root a vulnerable machine.

The code needed is available on GitHub. When compiled, it provides users with a CVE-2019-2215 file.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.