Exploitalert - Database of Exploits

Android maxdsm Driver Kernel Information Disclosure

CVE	Category	Price	Severity
CVE-2021-28672	CWE-200	$10,000	High

Author	Risk	Exploitation Type	Date
Unknown	High	Local	2017-01-06

CPE
cpe:cpe:/a:android:maxdsm_driver

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

https://cxsecurity.com/ascii/WLB-2017010031

Android maxdsm Driver Kernel Information DisclosureAndroid: Kernel information disclosure in "maxdsm_read" The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev". The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows: 1. static ssize_t maxdsm_read(struct file *filep, char __user *buf, 2.size_t count, loff_t *ppos) 3. { 4. int ret; 5. 6.mutex_lock(&dsm_fs_lock); 7. 8.maxdsm_read_all(); 9. 10./* copy params to user */ 11.ret = copy_to_user(buf, maxdsm.param, count); 12.if (ret) 13.pr_err("%s: copy_to_user failed - %d\n", __func__, ret); 14. 15.mutex_unlock(&dsm_fs_lock); 16. 17.return ret; 18. } This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after the maxdsm.param buffer. I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource". The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files: allow icd device : file { write append open } ; allow system_app device : dir { read getattr search open } ; allow device device : filesystem associate ; allow kiesexe device : file { ioctl read getattr lock open } ; allow oneseg_mw device : sock_file write ; allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ; allow ddexe device : file { ioctl read getattr lock open } ; allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow radio device : sock_file write ; allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ; allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow nfc device : lnk_file read ; allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow charge device : dir { read write open } ; allow vold device : chr_file { ioctl create setattr lock append link rename execute } ; allow rild device : lnk_file { create unlink } ; allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ; allow dhcp device : file { ioctl read getattr lock open } ; allow debuggerd device : dir { write add_name remove_name } ; allow domain device : dir search ; allow bootchecker device : sock_file write ; allow rild device : dir { ioctl read write getattr add_name remove_name search open } ; allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ; allow felica_app device : dir { read write setattr open } ; allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow ext_symlink device : dir { write add_name remove_name } ; allow domain device : file read ; allow servicemanager device : file { ioctl read getattr lock open } ; allow init device : lnk_file unlink ; allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ; allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ; allow bugreport device : sock_file write ; allow wpa device : file { ioctl read getattr lock open } ; allow kernel device : chr_file { create getattr setattr unlink } ; allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow system_server device : sock_file { ioctl read write getattr lock append open } ; allow tbased device : dir { write create add_name } ; allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow untrusteddomain device : dir { read write setattr open } ; allow system_app device : file { ioctl read getattr lock open } ; allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow ext_symlink device : lnk_file { create unlink } ; allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ; allow qlogd device : dir { ioctl read getattr search open } ; allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow p2p_supplicant device : file { ioctl read getattr lock open } ; allow slideshow device : dir { ioctl read getattr search open } ; allow charge device : chr_file { create unlink } ; allow ueventd device : chr_file { ioctl read write getattr lock append open } ; allow healthd device : dir { write add_name remove_name search open } ; allow fsck device : dir write ; allow mmb_mw device : sock_file write ; allow init device : dir { write relabelto mounton add_name remove_name } ; allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ; allow tee device : dir { ioctl read getattr search open } ; allow system_app device : sock_file write ; allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ; allow system_server device : dir { ioctl read getattr search open } ; allow dumpstate device : sock_file write ; This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb

Impressum