Privilege Escalation via adbd Misconfiguration

CVE-2017-13212

    Type

  • Elevation of Privilege
  • Severity

  • Medium
  • Affected products

  • Android Open Source Project (AOSP)
  • CVE Reference

  • CVE-2017-13212
Timeline
2017-05-28

Issue reported to Google

2017-06-12

Google’s initial severity assessment rates it as Moderate

2018-01-05

Patched in January 5, 2018 Android Security Bulletin

2018-01-17

Public disclosure of vulnerability and technical blog post

Description

A local privilege escalation vulnerability was identified in Android by exploiting the Android Debug Bridge daemon (adbd) running on a device.
If an android device was found to be running adbd configured to be listening on a TCP port, a feature commonly referred to as ‘ADB over Wifi’, a malicious application running on the device could connect and authenticate to the adbd daemon and escalate its privileges to that of adbd.
Exploiting this misconfiguration would allow the android application to elevate its privileges from the context of “u:r:untrusted_app:s0” to that of “u:r:shell:s0”.

Impact

This adbd configuration could be exploited by a malicious application running on the device with the ability to connect to the TCP port that adbd is listening on. This typically requires the application to define the INTERNET permission in its AndroidMainifest.xml. Once an application has successfully authenticated to the daemon, it can then execute commands with the privileges of the adb shell user. This would allow the application to perform privileged functions such as installing/uninstalling applications, reading and writing to the SDcard, recording the user’s screen contents, injecting touch events to automate user input, etc.

However, the impact of this vulnerability is significantly reduced as by default adbd in AOSP images is configured to only be accessible via authenticated USB connections. Applications installed on a device are not able to force ADB to run over Wifi instead of the default USB. Therefore exploiting this vulnerability is only possible where the device owner had already enabled ADB over Wifi.

Cause

The SystemUI pop-up used to display the RSA authentication prompt when an adb server attempts to connect to adbd is vulnerable to overlay attacks. Should the targeted android device be running ADB over Wifi, a malicious android application on the device could initiate a connection to adbd over the TCP port it’s listening on and attempt to authenticate to adbd. The application would be able to overlay the RSA authentication prompt with an arbitrary message to trick the user into authorising the adb server connection originating from the malicious application.

Solution

This vulnerability was addressed by adding overlay detection capabilities to the SystemUI pop-up used to display the RSA authentication prompt. The patch for which was included in the January 5, 2018 Android Security Bulletin. Android users are advised to update their devices to this patch level.

Demo

Technical details

Please refer to the attached advisory and complementary blog post.