GHSL-2020-007: Out-of-bounds write in Android Open Source Project - CVE-2020-0072

Summary

An Out-Of-Bounds write of lock_tlv in Android’s rw_t2t_handle_tlv_detect_rsp (NFC) could leads to remote code execution.

Product

Android Open Source Project

CVE

CVE-2020-0072

Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01

Details

In the rw_t2t_handle_tlv_detect_rsp function, p_t2t->lock_tlv is written to with index p_t2t->num_lock_tlvs ¹. As p_t2t->num_lock_tlvs is incremented here ², by repeatedly triggering this branch, it is possible to increase the value of p_t2t->num_lock_tlvs beyond the size of p_t2t->lock_tlv (RW_T2T_MAX_LOCK_TLVS), causing an OOB write.

Impact

If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.

Coordinated Disclosure Timeline

07/01/2020 Reported as issue 147259760, Android ID 147310271.
06/04/2020 Fix published in 2020-04-01 Andriod Security patch

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-007 in any communication regarding this issue.

https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#609 ↩
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#636 ↩