Adam Radosavljevic - Fotolia
A team of researchers discovered a way to hack the Android Pixel phone by taking advantage of two different vulnerabilities. What are the Pixel vulnerabilities, and how were they exploited?
The Android Pixel phone, designed, developed and marketed by Google, was the only device that was not pwned in the 2017 Mobile Pwn2Own competition -- a contest held to demonstrate attacks on the most popular mobile devices. However, in August 2017, Guang Gong of Qihoo 360 Technology Co. Ltd found that by chaining two separate Pixel vulnerabilities, CVE-2017-5116 and CVE-2017-14904, and socially engineering a user to click on a malicious link in Chrome, he could inject arbitrary code into an Android Pixel phone. Exploitation of the Pixel vulnerabilities for an attack combines elements from three different technologies:
- WebAssembly: a low-level programming language for in-browser client-side execution.
- Web Workers: an API for spawning background scripts in a web application.
If a software developer writes code that doesn't verify the type of object that is passed to other sections of code, it can cause type confusion problems in memory because different object types can use different memory layouts. Type confusion can lead to wrong function pointers or data being fed to the wrong piece of code.
Gong found a type confusion bug in the V8 engine's function GetFirstArgumentAsBytes which accepts either an ArrayBuffer or TypedArray object. This allows malicious WebAssembly code to be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, resulting in a race condition. This causes a memory access out of bounds error created by the race condition, which can result in pieces of data in the stack being dumped to the WebAssembly memory. A proof of concept can be found here. By also exploiting the privilege escalation flaw in Android's libgralloc module, CVE-2017-14904, Gong could escape from Chrome's sandbox to achieve remote code execution.
All Pixel devices or partner devices using seamless system updates will automatically install the updates that fix this issue, but users must restart their devices to complete the installation. Fixes for these two Pixel vulnerabilities were issued in Android Security Bulletin -- December 2017, so devices with a security patch level of 2017-12-05 or later are protected from these issues.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading