We have identified a new Toc-ToU race condition vulnerability in Huawei’s recovery image implementation of SD-card based firmware updates. The vulnerability can be exploited to achieve arbitrary code execution in recovery mode, enabling unauthentic firmware updates, firmware downgrades to a known vulnerable version or other system modifications.
The vulnerability we are disclosing in this advisory affected a wide range of Huawei devices, including phones on the newest chipsets (Kirin 9000). The November 2022 issue of HarmonyOS and EMUI Security Bulletins contains this vulnerability as CVE-2022-44563.
The implementation of the “SD-update” mode of the Huawei recovery process, which is a proprietary mode for handling update files located on external media, contains the vulnerability that the update file gets reread between different verification phases. This “Time-of-Check Time-of-Use” vulnerability can be exploited to pass verification before forcing modified update image data to be actually used. By chaining this vulnerability with additional gaps of the update process authentication implementation, it is possible to achieve arbitrary code execution as root in recovery mode.
In order to implement a proof-of-concept exploit, we have developed a custom software emulation of an USB flash drive to be able to provide the recovery with different data on each read, thereby triggering the vulnerability at-will.
For more details on the vulnerability and how to exploit it, see our companion research blog post.
The vulnerability can be exploited without any knowledge of user credentials. It takes a just few seconds to boot or force reboot the phone into the eRecovery mode, also the injected binary is ready to run almost immediately after starting the update process. Furthermore the resources needed for the exploitation are minimal: a Raspberry Pi with an USB-C cable or even an other Huawei phone can be used with a patched USB mass storage device kernel module.
Huawei’s proprietary update solution is identical throughout their device lineup regardless of the employed chipset (Hisilicon, Qualcomm, Mediatek) or the used base OS (EMUI, HarmonyOS) of a device. Accordingly, we have verified the following devices to be affected:
- Huawei Mate 40 Pro (NOH-NX9) on 22.214.171.124 (HarmonyOS) – Kirin 9000 chipset
- Huawei Mate 30 Pro (LIO-L29) on 126.96.36.199 (HarmonyOS) – Kirin 990 chipset
- Huawei P50 Pro (JAD-LX9) on 188.8.131.52 (HarmonyOS) – Qualcomm chipset
- possibly every Huawei smartphone and tablet
Huawei OTA images, released after November 2022, contain the fix for the vulnerability.
- 2022.09.02. Bug reported to Huawei PSIRT
- 2022.10.10. Request update from Huawei, Huawei PSIRT responds it’s being analyzed
- 2022.11.05. Huawei releases security bulletin
- 2022.11.08. Update requested again
- 2022.11.10. Huawei confirms vulnerability severity and the fix and CVE released in the security bulletin