Last year we published UnZiploc, our research into Huawei’s OTA update implementation. Back then, we have successfully identified logic vulnerabilities in the implementation of the Huawei recovery image that allowed root privilege code execution to be achieved by remote or local attackers. After Huawei fixed the vulnerabilities we have reported, we decided to take a second look at the new and improved recovery mode update process. This time, we managed to identify a new vulnerability in a proprietary mode called “SD-Update”, which can once again be used to achieve arbitrary code execution in the recovery mode, enabling unauthentic firmware updates, firmware downgrades to a known vulnerable version or other system modifications.
Recently we have disclosed new advisories related to the remote exploitation of Huawei smartphones. The research that led to these findings was motivated by analyzing new interfaces for remote code execution on a mobile platform. After our work on exploiting Huawei’s Kirin via its baseband interface, we wanted to explore the possibilities of logic bugs as RCE vectors in a modern smartphone chipset, as opposed to memory corruption scenarios that are more common in public research. Logic bugs can be the most powerful because they have the potential to bypass almost all the exploit mitigations that are the typical focus these days, like ASLR, N^X, sandboxing parser code, etc.
We have identified a new Toc-ToU race condition vulnerability in Huawei’s recovery image implementation of SD-card based firmware updates. The vulnerability can be exploited to achieve arbitrary code execution in recovery mode, enabling unauthentic firmware updates, firmware downgrades to a known vulnerable version or other system modifications. The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets (Kirin 9000). The November 2022 issue of HarmonyOS and EMUI Security Bulletins contains this vulnerability as CVE-2022-44563. Vulnerability Details The implementation of the “SD-update” mode of the Huawei recovery process, which is a proprietary mode for handling update files located on external media, contains the vulnerability that the update file gets reread between different verification phases.
In this advisory we are disclosing a vulnerability in the Huawei log device that allows any unprivileged process to learn the value of randomized kernel pointers. The vulnerability can be used to defeat KASLR mitigation. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as memcheck, and it provides detailed statistics about the system memory usage. These statistics can disclose randomized kernel pointers to an attacker, enabling them to defeat the KASLR security mitigation. Due to an access control configuration error, these ioctls are exposed to untrusted and isolated application contexts, as a result any unprivileged process can exploit this vulnerability.