#### Products
* OnePlus 3T
* OnePlus 3
* OnePlus 2
* OnePlus X
* OnePlus One
#### Vulnerable Version
* All OnePlus OxygenOS & HydrogenOS OTAs
#### Technical Details
lenient updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s (see below the 4.0.0 updater-script). Downgrades can occur even on locked bootloaders & without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS. In addition, a physical attacker can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).
```
getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]
```
#### PoC
```
https://github.com/alephsecurity/research/tree/master/OnePlusOTA
```
#### Timeline
* 11-May-17: Public disclosure.
* 10-May-17: Deadline Extension.
* 26-Apr-17: Deadline.
* 09-Apr-17: 14-day Deadline Extension Offered (no reply).
* 01-Mar-17: Added as ALEPH-2017008.
* 10-Feb-17: CVE-2017-5948 assigned.
* 09-Feb-17: CVE ID requested.
* 26-Jan-17: Reported.
暂无评论