April 21, 2020

GHSL-2020-006: Out-Of-Bounds write in Android Open Source Project - CVE-2020-0073

Man Yue Mo

Summary

Out-of-Bounds write in Android's rw_t2t_handle_tlv_detect_rsp (NFC) could allow an attacker at NFC range to obtain remote code execution

Product

Android Open Source Project

CVE

CVE-2020-0073

Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01

Details

In the rw_t2t_handle_tlv_detect_rsp function, p_t2t->lockbyte is accessed with the index p_t2t->num_lockbytes 1, while p_t2t->num_lockbytes increases during the loop. Although there is a check 2 to ensure that p_t2t->num_lockbytes cannot be increased more than RW_T2T_MAX_LOCK_BYTES (length of p_t2t->lockbytes) number of times during the loop, this is not sufficient to prevent overflow as the loop can be triggered multiple times during the detection sequence by repeatedly sending the following response:

  {0x00, 0x00, 0x01, 0x03,
   0x00, 0xf6, 0x00, 0x00,
   0x00, 0x00, 0x00, 0x00,
   0x0a, 0x00, 0x00, 0x00}

This will lead to a stack OOB write, which, due to the layout of the object rw_cb (type tRW_CB) 3 and p_t2t (type tRW_T2T_CB, which is tcb in rw_cb) 4, will ended up overwriting the function pointer p_cback 5, that is executed in the end of the detection.

Impact

If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device's NFC daemon.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-006 in any communication regarding this issue.