Details: Missing access checks in put_user/get_user kernel API (CVE-2013-6282 QCIR-2013-00010-1): The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This functionality was originally implemented and controlled by the domain switching feature (CONFIG_CPU_USE_DOMAINS), which has been deprecated due to architectural changes. As a result, any kernel code using these API functions may introduce a security issue where none existed before. This allows an application to read and write kernel memory to, e.g., escalated privileges. [QCIR-2013-00010-1][archived]
Details: Android does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature. Android security bug 8219321. [citation-needed]
Details: The camera driver provides several interfaces to user space clients. The user space clients communicate to the kernel via syscalls such as ioctl or mmap. The camera driver provides an uncontrolled mmap interface that allows an application with access to the device file to map physical memory exceeding the camera driver's memory into user space. A locally installed, unprivileged application can use this flaw to escalate privileges. [QCIR-2013-00001-1][archived]
Details: The perf_swevent_init function in kernel/events/core.c in the Linux kernel before 3.8.9 uses an incorrect integer data type, which allows local users to gain privileges via a crafted perf_event_open system call. [cve-mitre-libperf-event]
Discovered by: Hiroyuki Ikezoe [android-paper] on: Unknown
Details: The acdb audio driver provides an ioctl system call interface to user space clients for communication. When processing arguments passed to the ioctl handler, a user space supplied size is used to copy as many bytes from user space to a local stack buffer without proper bounds checking. An application with access to the /dev/msm_acdb device file (audio or system group) can use this flaw to, e.g., elevate privileges. QCIR-2013-00002-1 [QCIR-2013-00002-1][archived]
Details: Integer overflow and signedness issue in camera JPEG engines (CVE-2013-4736) QCIR-2013-00005-1: The JPEG engines that are part of the camera driver provide an ioctl system call interface to user space clients for communication. When processing hardware commands ioctl calls, the drivers are incorrectly handling the number of commands included in the user space payload. This can lead to an integer overflow which subsequently results in the driver attempting to process hardware commands from out-of-bounds memory which can cause the kernel to crash. The same code also suffered from incorrectly treating the number of hardware commands as signed. [QCIR-2013-00005-1]
Gemini JPEG encoder, Mercury JPEG decoder, and Jpeg1.0 common encoder/decoder contain an unspecified integer overflow condition during the handling of hardware command IOCTL calls that may allow a local attacker to cause a denial of service or potentially execute of arbitrary code. [osvdb-96924]
Details: APK signature verification does not check name lengths correctly, creating a difference between how the zip files are verified compared with how they are extracted which allows files in an existing APK to be replaced with new files. [saurik-19]
Exploited by RockMyMoto [androidpolice-rockmymoto]
Details: File offsets in zips are supposed to be unsigned but were interpreted as signed allowing different content to be verified from the content executed. [citation-needed]
Details: A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object. [CVE-2013-4777]
Stack-based buffer overflow in the sub_E110 function in init in a certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless allows local users to gain privileges or cause a denial of service (memory corruption) by writing a long string to the /dev/socket/init_runit socket that is inconsistent with a certain length value that was previously written to this socket. [CVE-2013-5933]
Details: Stack-based buffer overflow and memory disclosure in camera driver QCIR-2013-00008-1: A stack-based buffer overflow and a kernel memory disclosure vulnerability have been discovered in the system call handlers of the camera driver. [QCIR-2013-00008-1][archived]
Discovered by: Jonathan Salwan of the Sysdream Security Lab [QCIR-2013-00008-1][archived] on: Unknown
Details: Stack-based buffer overflow in the encode_key function in /system/bin/keystore in the KeyStore service in Android 4.3 allows attackers to execute arbitrary code, and consequently obtain sensitive key information or bypass intended restrictions on cryptographic operations, via a long key name. [CVE-2014-3100]
Details: Multiple memory corruption issues and race condition in Goodix gt915 touchscreen driver procfs handler (CVE-2013-4740 CVE-2013-6122) QCIR-2013-00009-1: Multiple issues have been identified in the Goodix gt915 touchscreen driver for Android. The issues were found in the write handler of the procfs entry created by the driver, which by default is readable and writeable to users without any specific privileges. [QCIR-2013-00009-1][archived]
Discovered by: Jonathan Salwan of the Sysdream Security Lab [QCIR-2013-00009-1][archived] on: Unknown
Details: Out of bounds array access in camera driver (CVE-2013-6123): The camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ioctl_server, msm_server_send_ctrl, and msm_ctrl_cmd_done functions use a user-supplied value as an index to the server_queue array for read and write operations without any boundary checks. A local application with access to the camera device nodes can use this flaw to, e.g., elevate privileges. [QCIR-2014-00001-1][archived]
Details: Insecure owner/permission changes in init shell scripts (CVE-2013-6124): During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges. [QCIR-2014-00002-1][archived]
Categories: Remote code execution vulnerability in Qualcomm Wi-Fi driver
Details: Buffer overflow in CORE/SYS/legacy/src/utils/src/dot11f.c in the Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (2013) devices allows remote attackers to execute arbitrary code via a crafted Information Element (IE) in an 802.11 management frame, aka Android internal bug 28668638 and Qualcomm internal bugs CR553937 and CR553941. [NIST-CVE-2014-9902]
Categories: Elevation of privilege vulnerability in Qualcomm components
Details: Integer underflow in the diag driver in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28768146 and Qualcomm internal bug CR549470. [NIST-CVE-2014-9863]
