Summary

An Out-Of-Bounds write in Android’s rw_t2t_extract_default_locks_info could leads to remote code execution.

Product

Android Open Source Project

CVE

CVE-2020-0071

Tested Version

Pixel3a with build id: QQ1A.191205.011 (tag android-10.0.0_r16). (latest publicly available build as of the time of writing) Proxmark3 used is the RDV4.01

Details

In the rw_t2t_extract_default_locks_info, the num_dynamic_lock_bytes is derived from p_t2t->tag_hdr[T2T_CC2_TMS_BYTE] 1, which is the 14th entry in the first response in a detection sequence 2. The num_dynamic_lock_bytes is then used as an upper bound to access p_t2t->lockbytes 3. By using a tag_hdr that with a large enough T2T_CC2_TMS_BYTE, e.g. the following as the initial response:

 {0x04, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00,
  0xfa, 0xff, 0xff, 0xff,
  0xe1, 0x11, 0xff, 0x00, //<- 0xff in this row corresponds to |T2T_CC2_TMS_BYTE| in |tag_hdr|
  0x00, 0x00},

it is possible to cause num_dynamic_lock_bytes to exceed the size of p_t2t->lockbytes, causing an OOB write.

Impact

If succesfuly exploited, an attacker within NFC range could obtain remote code execution on android device’s NFC daemon.

Coordinated Disclosure Timeline

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-008 in any communication regarding this issue.

  1. https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#852 

  2. https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#99 

  3. https://android.googlesource.com/platform/system/nfc/+/a581069b8f449f5e5d7804ac70fa4d9d57a2b94e/src/nfc/tags/rw_t2t_ndef.cc#868