OnePlus OTA OxygenOS/HydrogenOS Crossover Vulnerability(CVE-2017-8850)

#### Products * OnePlus 3T * OnePlus 3 * OnePlus 2 * OnePlus X * OnePlus One #### Vulnerable Version * All OnePlus OxygenOS & HydrogenOS OTAs #### Technical Details Due to lenient updater-script in the OnePlus OTA images (see below), and the fact both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which allows for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS (CVE-2016-10370). In addition, physical attackers can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off). updater-script of the OnePlus 3T OxygenOS 4.1.3 OTA: ``` getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\"."); show_progress(0.750000, 0); ui_print("Patching system image unconditionally..."); block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") || abort("E1001: Failed to update system image."); show_progress(0.050000, 10); [...] ``` updater-script of the OnePlus 3T HydrogenOS 3.0.0 OTA: ``` getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\"."); show_progress(0.750000, 0); ui_print("Patching system image unconditionally..."); block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") || abort("E1001: Failed to update system image."); show_progress(0.050000, 10); [...] ``` #### PoC ``` https://github.com/alephsecurity/research/tree/master/OnePlusOTA ``` #### Timeline * 11-May-17: Public disclosure. * 10-May-17: Deadline Extension. * 08-May-17: CVE-2017-8850 assigned. * 08-May-17: CVE ID requested. * 08-May-17: Added as ALEPH-2017020. * 26-Apr-17: Deadline. * 09-Apr-17: 14-day Deadline Extension Offered (no reply). * 26-Jan-17: Reported.