April 21, 2020

GHSL-2020-007: Out-of-bounds write in Android Open Source Project - CVE-2020-0072

Man Yue Mo

Summary

An Out-Of-Bounds write of lock_tlv in Android's rw_t2t_handle_tlv_detect_rsp (NFC) could leads to remote code execution.

Product

Android Open Source Project

CVE

CVE-2020-0072

Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01

Details

In the rw_t2t_handle_tlv_detect_rsp function, p_t2t->lock_tlv is written to with index p_t2t->num_lock_tlvs 1. As p_t2t->num_lock_tlvs is incremented here 2, by repeatedly triggering this branch, it is possible to increase the value of p_t2t->num_lock_tlvs beyond the size of p_t2t->lock_tlv (RW_T2T_MAX_LOCK_TLVS), causing an OOB write.

Impact

If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device's NFC daemon.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-007 in any communication regarding this issue.