Pierluigi Paganini September 05, 2019

Maintainers of the Android Open Source Project (AOSP) failed to address a privilege escalation bug in the Android mobile OS that was reported six months ago.

Experts disclosed details of a zero-day vulnerability that affects the Android mobile operating system. The high-severity zero-day issue resides in the driver for the Video For Linux 2 (V4L2) interface.

The vulnerability was reported by Lance Jiang and Moony Li of TrendMicro Research through the Zero Day Initiative (ZDI) program.

“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the security advisory published by ZDI.

“The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”

Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.

“The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”

The vulnerability resides in the way the Video for Linux (V4L2) driver handles input data, it could be exploited by an attacker to elevate permissions to kernel level.

Trend Micro published details of the issue after Google published the September 2019 Android Security Bulletin, that did not fix the flaw.

Experts pointed out that the attackers need local access in order to exploit the vulnerability, this means they should have already compromised the device. The issue could be chained with other vulnerabilities in order to take full control of a device, post the initial infection.

Jiang and Li reported the issue to Google in March.

Experts warn of the severity of privilege escalation vulnerabilities that could be used by attackers to gain root access on the devices and carry out many malicious activities.

At the time of writing, there is no workaround for this vulnerability.

Below the timeline for this issue:

• 03/13/19 – ZDI reported a vulnerability to the vendor
• 03/13/19 – The vendor acknowledged and requested further information
• 03/25/19 – ZDI provided the requested details
• 06/28/19 – The vendor confirmed the vulnerability would be fixed, but did not provide an estimated time frame
• 07/12/19 – ZDI requested an estimated date for the fix
• 07/12/19 – The vendor indicated they could not specify a date
• 08/21/19 – ZDI requested an update
• 08/26/19 – The vendor indicated there were no further updates
• 08/28/19 – ZDI notified the vendor of the intention to disclose the report as a 0-day advisory
• 2019-09-04 – Coordinated public release of advisory
  2019-09-04 – Advisory Updated

Pierluigi Paganini

(SecurityAffairs – Android, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]