ANATOMY OF A SECURITY VULNERABILITY
In March 2020, Google patched a critical vulnerability (CVE-2020-0069) affecting millions of devices with chipsets made by MediaTek (the large Taiwanese chip design company).
All devices with the MediaTek 64-bit chipsets are vulnerable, including Motorola, OPPO, Sony, Alcatel, Amazon, ASUS, Blackview, Realme, Xiaomi, as well as others.
The vulnerability allows a local attacker without privileges to read and write system memory, leading to privilege escalation. There is even an exploit binary called mtk-su that allows root access on many vulnerable devices. On April 17th, 2019, an author of the exploit shared a script that users can execute to grant them superuser access in shell, as well as set SELinux, the Linux kernel module that provides access control for processes, to the highly insecure “permissive” state.
For a user to get root access and set SELinux to permissive on their own device is shockingly easy to do. All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script.
The consequences of a successful attack can be significant: With root access, any app can grant itself any permission it wants; and with a root shell, all files on the device, even those stored in private data directories of applications, are accessible.
An app with root can also silently install any other app it wants in the background and then grant it whatever permissions it needs to violate your privacy. A malicious app can even inject code directly which means a normal app on your device could be hijacked to do the bidding of the attacker.
The vulnerability is actively being exploited by hackers.
What Type of Vulnerability Does CVE-2020-0069 Represent?
MITRE maintains a list of common software and hardware weaknesses and exposures, known as the CWE List. “Weaknesses” are flaws, faults, bugs, vulnerabilities, or other errors in software or hardware implementation, code, design, or architecture that if left unaddressed could result in systems, networks, or hardware being vulnerable to attack. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.
CVE-2020-0069 is an example of CWE-787: Out-of-bounds Write. The software writes data past the end, or before the beginning, of the intended buffer.
Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
Is a Security Patch For CVE-2020-0069 Available?
Yes, Google issued a security patch in March 2020.
Aren’t Flaws like CVE-2020-0069 Rare? My Code is Secure, Right?
According to the National Institute of Standards and Technology, there have been 50,031 application vulnerabilities in the last three years. Vulnerabilities are frequently discovered even in high-profile projects suppoprted by the most senior developers in the world. Another example of this is curl.
Curl is used in practically every technology that requires internet transfer. That applies to cars, routers, printers, audio equipment, mobile devices, media players and more. Since curl supports thousands of software applications that impact billions of humans daily, it’s important for developers to check which curl version they are using and update as soon as possible.
A critical heap buffer overflow vulnerability in curl’s TFTP protocol handler (CVE-2019-5482) has been discovered and was patched in September 2019.
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the tftp_receive_packet() function when processing TFTP data. A remote attacker can send specially crafted TFTP responses to the vulnerable curl client, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.
The fix is available here.