Pierluigi Paganini February 07, 2016

Google announced to have patched a number of critical vulnerabilities affecting the Nexus devices that lead to the complete hack of the device.

Google announced to have patched a critical vulnerability affecting the Nexus devices that could be exploited by an attacker on the same Wi-Fi network. The company confirmed that it is not aware of attacks in the wild exploiting the vulnerabilities.

The patch issued by Google fixes several vulnerabilities in the Broadcom Wi-Fi driver that could be exploited by an attacker for remote code execution. The updates are available in the builds LMY49G or later for Nexus devices, the fix has been distributed on Jan. 4 through carrier and manufacturer partners. The same updates will be very soon available for the Android Open Source Project.

According to the security advisory published by Google, the Wi-Fi vulnerabilities can be exploited by sending a malicious wireless control message packet that could corrupt kernel memory and lead the remote code execution at the kernel level.

“Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel. These vulnerabilities can be triggered when the attacker and the victim are associated with the same network. This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.” states the Nexus Security Bulletin – February 2016.

The vulnerabilities coded as CVE-2016-0801 and CVE-2016-0802, were privately reported to Google by the Broadgate Team on October 25.

Google has also issued a fix for a new problem in the Mediaserver  that could be exploited in several ways, for example by sending an MMS file.

“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.

The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media.” continues the Advisory.

“This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.”

Google fixed also a critical vulnerability, coded as CVE-2016-0807, affecting the Debuggerd component that could be exploited by hackers to root the Android device.

The Google bulletin also patches two other critical vulnerabilities in Qualcomm modules (CVE-2016-0805 and CVE-2016-0806) the Qualcomm Performance Module and the Qualcomm Wi-Fi Driver. The flaws allow the elevation of privilege for an attacker. In the case of the Qualcomm performance event manager component for ARM processors an attacker can exploit it by using a local application to run code at the kernel level.

In the case of the Qualcomm Wi-Fi driver, the attacker can use a local application to run code at the kernel level as well.

Pierluigi Paganini

(Security Affairs – Android Google Nexus, Wi-Fi)