Researchers had found out that several Motorola handset models especially there G4 7 g5 are vulnerable to a critical kernel command line injection flaw that could allow a local malicious application to execute arbitrary code on the devices.
Their CVE Report : CVE-2016-10277
CVE Description : An elevation of privilege vulnerability in the Motorola bootloader could enable a local malicious application to execute arbitrary code within the context of the bootloader. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33840490.
The warnings come from Aleph Research which said that it found the vulnerability on up-to-date handsets running the latest Motorola Android bootloader.“Exploiting the vulnerability allows the adversary to gain an unrestricted root shell. (And more!),” wrote Roee Hay, manager of Aleph Research. He said vulnerable versions of the Motorola Android bootloader allow for a kernel command-line injection attack.This vulnerability is found in nexus 6’s boot loader too,but google had fixed it in the previous may itself.
Despite the fact the vulnerability had been patched for the Nexus 6, Hay said the Moto G4 and G5 were still vulnerable to the same kernel command line injection flaw.
They went out and acquired these two devices and have since confirmed that the Android Bootloader (ABOOT) on these devices were indeed vulnerable to this same attack that they announced just last month (CVE-2016-10277). The only differences were that it required they port initroot to these two devices.
They did this by finding the SCRATCH_ADDR values used by the bootloaders, and then creating malicious initramfs archives. This whole process allows the attacker to inject a parameter (named initrd) which is able to force the Linux kernel to populate initramfs into rootfs from a specified physical address. They attack also allows an attacker to abuse the download function in ABOOT to put a malicious initramfs at a known physical address.
“In the previous blog post, we suggested that CVE-2016-10277 could affect other Motorola devices. After receiving a few reports on Twitter that this was indeed the case we acquired a couple of Motorola devices, updated to the latest available build we received over-the-air,” the researcher from Aleph wrote on Wednesday.
“By exploiting the vulnerability, a physical adversary or one with authorised USB fastboot access to the device could break the secure/verified boot mechanism, allowing him to gain unrestricted root privileges, and completely own the user space by loading a tampered or malicious image,” wrote Hay.
Hay’s research into the Motorola bootloaders began in January when he identified a high-severity vulnerability (CVE-2016-8467) impacting Nexus 6/6P handsets. That separate vulnerability allowed attackers to change the bootmode of the device, giving access to hidden USB interfaces. Google fixed the issue by hardening the bootloader and restricting it from loading custom bootmodes.
In an interview with Hay said, “Yes, they are both bootloader vulnerabilities. The CVE-2016-10277 can be considered a generalization of CVE-2016-8467, but with a much stronger impact,” he said.
Source: Aleph Research