Out-of-Bounds write in Android's rw_t2t_handle_tlv_detect_rsp
(NFC) could allow an attacker at NFC range to obtain remote code execution
Android Open Source Project
CVE-2020-0073
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
In the rw_t2t_handle_tlv_detect_rsp
function, p_t2t->lockbyte
is accessed with the index p_t2t->num_lockbytes
1, while p_t2t->num_lockbytes
increases during the loop. Although there is a check 2 to ensure that p_t2t->num_lockbytes
cannot be increased more than RW_T2T_MAX_LOCK_BYTES
(length of p_t2t->lockbytes
) number of times during the loop, this is not sufficient to prevent overflow as the loop can be triggered multiple times during the detection sequence by repeatedly sending the following response:
{0x00, 0x00, 0x01, 0x03,
0x00, 0xf6, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x0a, 0x00, 0x00, 0x00}
This will lead to a stack OOB write, which, due to the layout of the object rw_cb
(type tRW_CB
) 3 and p_t2t
(type tRW_T2T_CB
, which is tcb
in rw_cb
) 4, will ended up overwriting the function pointer p_cback
5, that is executed in the end of the detection.
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device's NFC daemon.
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-006
in any communication regarding this issue.