Information Disclosure via AEE extension to debuggerd

    Type

  • Information Disclosure

    • Severity

  • Medium

    • Affected products

  • Huawei Y6 Pro Dualsim

    • CVE Reference

  • N/A
Timeline

2017-04-05

Issue reported to Huawei.

2017-08-04

Huawei confirmed this issue was fixed in version TIT-L01C576B120.

Description

Huawei is a company that provides networking and telecommunications equipment.
The AEE (Android Exception Enhancement) extension in the debuggerd daemon leaks sensitive information such as screenshots, the address space of any process, kernel and system logs, and other information about the current state of the system. A malicious Android application, or any other user on the device, could abuse this to disclose sensitive data or develop further attacks against the device itself.

Impact

Exploitation of this issue could allow any user to disclose sensitive information, which can then be used to develop further attacks or to steal confidential data such as screenshots or application logs.

Cause

Lack of privilege validation on the @com.mtk.aee.aed and @com.mtk.aee.aed_64 unix sockets.

Solution

This vulnerability was resolved by Huawei in version TIT-L01C576B120. More information can be found on the Huawei web page: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170804-01-smartphone-en 

Technical Details

 Please refer to the attached advisory.