قالب وردپرس درنا توس
Home / Technology / OnePlus Nord 2 has a vulnerability that provides root shell access within minutes on a locked bootloader, without a data wipe

OnePlus Nord 2 has a vulnerability that provides root shell access within minutes on a locked bootloader, without a data wipe



A lot of us here at XDA-Developers originally started browsing these forums for the first time when we were looking to root our Android devices. Back in those days, people often relied on “one-click root” methods: apps or scripts with payloads that target prominent privilege escalation vulnerabilities of the existing firmware to get root access. With improvements and changes to encryption, permissions and privacy-related handling, modern Android devices are relatively safe from such attack vectors, but there will always be room for exploits and vulnerabilities.

OnePlus may have cemented its name among the major Android OEMs, but its phones are no stranger to security flaws. This time, the company has left a rather interesting (read: varying) vulnerability unpatched on the OnePlus Nord 2 since its release. Although exploiting the loophole requires physical access to the device, the attacker can effectively Get an unrestricted root shell before the user can even enter their credentials. Notably, the newly released Pac-Man edition of the Nord 2 was also affected.

Background

Nowadays, when we talk about root access on an Android smartphone, people usually think about patching the boot image with Magisk first and then flashing the patched image to the target device after unlocking bootloader. That way, the end-user can have supervised access to the “su” binary through a manager app. A couple of other experimental approaches exist, but they rarely collect as much mainstream usage.

When it comes to pre-production, however, the scenario is completely different. While preparing the firmware of a device, the engineers need to have different logging parameters, including root access. Even on a userdebug Build, the Android Debug Bridge Daemon (ADBD) runs as root, so that one can have privileged shell access for debugging purposes. When the firmware is ready for shipping, all the debugging parameters must be turned off before rolling it.

But what happens if you forget to do so? We will see, how the official OxygenOS releases for the OnePlus Nord 2 comes with such a flaw.

OnePlus Nord 2 – Root shell vulnerability

Some OEMs like Samsung offer sideloading capability to update package in their stock recovery on retail devices. In this case, the adbd Binary runs with a significantly high privilege while sideloading, but it closes as soon as the update process ends. Besides this, there is no ADB access permitted in an OEM-provided recovery environment.

OnePlus no longer allows users to flash an updated ZIP package through its stock recovery via ADB sideload. Assuming that everything else is configured as it should, a regular OnePlus device’s recovery environment should be safe from attackers delivering any kind of payload using ADB. Unfortunately, not everything goes according to plan in the case of the OnePlus Nord 2.

As it turns out, Anyone can spawn an Android debugging shell with root privilege in OnePlus Nord 2’s recovery environment. One of the crucial debugging settings simply made its way to the production build, which leads to the glitch.

Use the flaw on the OnePlus Nord 2

All you need to do is restart the OnePlus Nord 2 to its recovery mode. An attacker can take the device and use a simple hardware button combo to force it to go to recovery mode. In fact, there is no need to access the actual recovery menu, because the sensitive section comes earlier. Credit goes to XDA senior member AndroPlus for showing the existence of this slide back in October 2021.

  1. While the phone is turned off, press the volume down and power buttons simultaneously until you see the OnePlus logo with a minuscule “Recovery Mode” banner in the bottom left corner of the screen.
    OnePlus Nord 2 recovery mode
  2. Next, you should see the language selection screen. No need to go ahead, because we can start ADB access right from here.
    Selection of OnePlus Nord 2 recovery language
  3. Now connect the phone to a PC (or Mac) using the USB cable. If you use Windows, you can see a new Android USB debugging interface in the Device Manager. You may also need to install a suitable Android USB driver before Windows can recognize the new device. Linux and MacOS users, on the other hand, can use these lsusb Command to detect the presence of the new hardware interface.
    OnePlus Nord 2 recovery adb interface
  4. Considering that you already have the latest version of ADB and Fastboot utilities installed on your PC / Mac, enter a command prompt / PowerShell / Terminal example and execute the following command:
    adb devices

    It should list the Nord 2 in recovery mode. This is also especially interesting, because the standard ADB license prompt is not needed here. You may get a “device unauthorized” error, but wiping the existing ADB RSA key database from the host PC and restarting the ADB server should eventually allow you to get it authorized.

  5. Now study adbd To run as root:
    adb root

    The command may take a long time and you will probably get a timeout error. Nevertheless, now adbd Should be running as root.

    OnePlus Nord 2 adbed as root

  6. Finally, confirm the privilege level of the shell with the following command:
    adb shell whoami

    OnePlus Nord 2 Add Shell Vosami

The size of the defect

The potential abuses of this security vulnerability are dire. With a successful attack on the OnePlus Nord 2, an attacker can dump every partition of the device. As a result, the entire data partition – including files stored in the typically inaccessible private data directories of applications – is accessible to the attacker. If the data partition is encrypted (because the user sets a PIN or password), the dump may still be useful for forensic analysis.

Not only this, you can push an executable too /data/local/tmp And run it from there. This is a classic attack vector, which can be useful for chainloading another exploit. Moreover, since you can now call these setprop Use as root to modify various prop values, you can technically hijack some of the privileged OEM-specific variables. Last but not least, even if you do not have unlocked developer options, the phone will automatically request a USB debugging access after you invoke ADB in recovery and reboot to the regular Android environment, which means that the vulnerability’s scope is not limited only Recovery section.

Note that you can not install APK files using ADB in the recovery environment because the Package Manager utility is not accessible there.

How to check if your OnePlus Nord 2 is affected? (Hint: it is)

As mentioned earlier, you can use this vulnerability on both the regular and special pack-man edition of the OnePlus Nord 2. In a nutshell, if you enter a root shell (you will know when the shell symbol changes from $ To #), Then you will know that the flaw is present.

We have successfully obtained root shell access on the latest public Indian and European Oxygenos firmware for the device, which means Every single OnePlus Nord 2 camera is sensitive At the time of writing this article.


What’s next?

We will follow the matter as more information is available. OnePlus provided the following statement regarding this issue:

We take privacy and security very seriously. We prioritize the matter and we will share an update as soon as we have more information.

OnePlus spokesperson

Although all this seams scary, keep in mind that an attacker will still need to physically access the phone to get access to root shell. Until OnePlus rolls an update that patches the vulnerability, try to keep your OnePlus Nord 2 away from strangers. Although we have not found any cases of malicious use, we can not discount such possibility because the vulnerability has been in the wild for at least 2 months now.


Source link