Summary
An Out-Of-Bounds write in Android’s rw_t2t_extract_default_locks_info
could leads to remote code execution.
Product
Android Open Source Project
CVE
CVE-2020-0071
Tested Version
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
Details
In the rw_t2t_extract_default_locks_info
, the num_dynamic_lock_bytes
is derived from p_t2t->tag_hdr[T2T_CC2_TMS_BYTE]
1, which is the 14th entry in the first response in a detection sequence 2. The num_dynamic_lock_bytes
is then used as an upper bound to access p_t2t->lockbytes
3. By using a tag_hdr
that with a large enough T2T_CC2_TMS_BYTE
, e.g. the following as the initial response:
{0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0xfa, 0xff, 0xff, 0xff,
0xe1, 0x11, 0xff, 0x00, //<- 0xff in this row corresponds to |T2T_CC2_TMS_BYTE| in |tag_hdr|
0x00, 0x00},
it is possible to cause num_dynamic_lock_bytes
to exceed the size of p_t2t->lockbytes
, causing an OOB write.
Impact
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.
Coordinated Disclosure Timeline
- 07/01/2020 Reported as issue 147259762, Android ID 147310721.
- 06/04/2020 Fix published in 2020-04-01 Andriod Security patch
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com
, please include the GHSL-2020-008
in any communication regarding this issue.
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#852 ↩
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#99 ↩
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#868 ↩