Pierluigi Paganini June 11, 2017

Security experts have discovered a critical kernel command line injection vulnerability in the Motorola handsets Moto G4 and Moto G5.

Security researchers from Aleph Research Motorola have discovered a critical kernel command line injection flaw in the Motorola handset Moto G4 and Moto G5 models.

The flaw affects also handsets running the latest Motorola Android bootloader and could be exploited by a local malicious application to execute arbitrary code on the mobile device.

The experts were able to exploit the vulnerability on the Motorola handsets by abusing the Motorola bootloader download functionality in order to force loading their malicious initramfs image (initial RAM file system)  at a known physical address, named SCRATCH_ADDR.

“Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. We can inject a parameter, named initrd, which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.” reads the advisory published by the researchers. “We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (0x11000000 for Nexus 6).

Exploiting the vulnerability allows the adversary to gain an unrestricted root shell. (And more!)”

Earlier this year, the security experts at Aleph Research have found the same flaw, tracked as CVE-2016-10277, in the Nexus 6 Motorola bootloader, Google fixed it last month.

A local attacker could break the secure/verified boot mechanism to gain unrestricted root privileges and load a tampered or malicious initramfs image.

“By exploiting the vulnerability, a physical adversary or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device (such as PC malware awaiting for an ADB-authorized developer’s device to be hooked via USB) could break the Secure/Verified Boot mechanism, allowing him to gain unrestricted root privileges, and completely own the user space (which may also lead much more), by loading a tampered or malicious initramfs image. Moreover, exploitation does not lead to a factory reset hence user data remains intact (and still encrypted). It should be noted that we do not demonstrate an untethered attack.” the researchers wrote when discovered the flaw in the Nexus 6.

The experts suggested the Kernel Command-line Injection issue in the Nexus devices could affect also devices from other vendors, so they decided to focus their tests on Motorola handsets.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Motorola handsets, hacking)

[adrotate banner=”13″]