Aug 14,2019 | Posted by Or Cyngiser, Senior Security Researcher
Today we will take a short trip into a privilege escalation vulnerability affecting millions of devices running Android. The impact and exploitability of the discovered issue is somewhat unknown, so we will be glad to hear our readers' thoughts and ideas.
Mediatek is a chip vendor which manufactures System-On-Chips (SoC) for a wide variety of devices. We came across them in the Amazon Echo Dot which uses a MT8163 main processing SoC and an MT6625 Bluetooth/Wi-Fi/GPS chip. Although they don't openly publish their Android ports like they should (by using GPL), some older ones can be found in various GitHub repositories and in firmware dumps that can be extracted from eMMC chips.
When inspecting the dumped Echo code, which runs FireOS, an Android fork, we came across an executable called meta_tst. Tracing back the call stack, it is called when the system booted into Meta Mode, the flashing and recovery procedure implemented by Mediatek. The kernel detects a custom button press sequence (In smartphones it is usually volume down + power on) and fires /sbin/multi_init instead of /sbin/init. Multi_init loads the meta_init.rc configuration file which launches meta_tst in early userspace. One of meta boot's features is to wipe the existing eMMC data in order to reflash it with new firmware.
After checking the meta_tst disassembly and finding an interesting snippet, we found the corresponding C code in a 7-year old repository on GitHub. Below is the block which clears the "/data" directory, from meta_clr_emmc.c:
readdir is called with a "/data" directory pointer (d) and the function loops over directory entries. For each entry (de) it removes it using "rm" by attaching the file name. However, if the file name contains a semicolon for instance, "rm" will finish executing and the shell will execute the rest of the file name as a command, running of course as root. A classic system() command injection :( .
Example of command injection in bash, system() just calls bash -c with the tokenized parameters
Mediatek confirmed the issue but failed to inform us with all the exact chip lines and firmware version numbers affected to accommodate a full disclosure. MT65xx, MT66xx are definitely affected, as well as the MT8163 on the Echo Dot, but most likely all Mediatek SoCs which use eMMCs and implement Meta Mode are prone to this vulnerability. This includes smartphones, tablets, smart TVs etc.
It is important to note that being able to write a controlled file name to /data is not trivial and requires a completely different breach, however we feel this is still a significant escalation and may well help the rooting community in a variety of devices.
16/07 - Filed disclosure form
18/07 - Mediatek confirms vulnerability
14/08 - Public disclosure