Summary
An Out-Of-Bounds write in Android’s rw_t2t_extract_default_locks_info could leads to remote code execution.
Product
Android Open Source Project
CVE
CVE-2020-0071
Tested Version
Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01
Details
In the rw_t2t_extract_default_locks_info, the num_dynamic_lock_bytes is derived from p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] 1, which is the 14th entry in the first response in a detection sequence 2. The num_dynamic_lock_bytes is then used as an upper bound to access p_t2t->lockbytes 3. By using a tag_hdr that with a large enough T2T_CC2_TMS_BYTE, e.g. the following as the initial response:
{0x04, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0xfa, 0xff, 0xff, 0xff,
0xe1, 0x11, 0xff, 0x00, //<- 0xff in this row corresponds to |T2T_CC2_TMS_BYTE| in |tag_hdr|
0x00, 0x00},
it is possible to cause num_dynamic_lock_bytes to exceed the size of p_t2t->lockbytes, causing an OOB write.
Impact
If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.
Coordinated Disclosure Timeline
- 07/01/2020 Reported as issue 147259762, Android ID 147310721.
- 06/04/2020 Fix published in 2020-04-01 Andriod Security patch
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-008 in any communication regarding this issue.
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#852 ↩
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#99 ↩
-
https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#868 ↩