Vulnerabilities > CVE-2017-0433 - Privilege Escalation vulnerability in Google Android Synaptics Touchscreen Driver
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the touchscreen chipset. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10. Android ID: A-31913571.
Vulnerable Configurations
Seebug
| bulletinFamily | exploit |
| description | #### Products * Nexus 6P * Nexus 9 * Android One * Pixel * Pixel XL #### Vulnerable Versions * Verified on Nexus 9 6.0.1/MOB30W * Verified on Nexus 9 7.0/NRD90M #### Technical Details Due to lenient SELinux and DAC policy, vulnerable Synaptics DSX (touchscreen driver) sysfs file entires are exposed to an attacker that executes code within the mediaserver context on Android M 6.0.1 and system_server, bluetooth, nfc contexts on Android N 7.0 (or any other SELinux domain that has target type sysfs with the open and write permissions on file class). These vulnerable sysfs entries allows an attacker to inject a flawed firmware image, through user-space, onto the Synaptics touchscreen controller. Synaptic’s Touchscreen controllers are built on top of a proprietary 16-bit microcontroller. So no datasheets to help us reverse engineer it. Nevertheless, we could still infer the firmware image layout by peeking into Synaptic’s touchscreen firmware update mechanism inside the kernel. A high level representation: ``` +----------+--------------------+----------+ | | | | | FIRMWARE | ENCRYPTED FIRMWARE | FIRMWARE | | HEADER | BLOB | CONFIG | | | | | +----------+--------------------+----------+ ``` When provided with a firmware image, the update mechanism carves out its “firmware_id” ( a field within the header) and queries the touchscreen controller for its current “firmware_id”. If the former is greater than the latter the firmware is flashed to the controller. We crafted a flawed firmware image that consists of a higher “firmware_id” and a messed up encrypted firmware blob (we zeroed some bytes within it) and were able to flash it successfully to the controller. The Synaptic’s controller does not defend against Ciphertext Malleability attacks by using Digital Signatures or Message Authentication Codes. #### Timeline * 01-Mar-17: Added as ALEPH-2016001. * 06-Feb-17: Public disclosure. |
| id | SSV:93102 |
| last seen | 2017-11-19 |
| modified | 2017-05-12 |
| published | 2017-05-12 |
| reporter | Root |
| title | Google Nexus Synaptics Touchscreen Firmware Injection(CVE-2017-0433) |