Motorola Moto G4, G5 Vulnerable to Local Root Shell Attacks

Moto G4 and Moto G5 model Motorola phones are vulnerable to kernel command line injection vulnerabilities.

UPDATE Researchers say several Motorola handset models are vulnerable to a critical kernel command line injection flaw that could allow a local malicious application to execute arbitrary code on the devices.

The two affected Motorola models are the Moto G4 and Moto G5. The warnings come from Aleph Research which said it found the vulnerability on up-to-date handsets running the latest Motorola Android bootloader. Motorola said patches to fix the vulnerability in both devices are expected this month.

“Exploiting the vulnerability allows the adversary to gain an unrestricted root shell. (And more!),” wrote Roee Hay, manager of Aleph Research. He said vulnerable versions of the Motorola Android bootloader allow for a kernel command-line injection attack.

The vulnerability (CVE-2016-10277) is the same one found by Aleph Research earlier this year and fixed by Google in May, impacting the Nexus 6 Motorola bootloader.

“By exploiting the vulnerability, a physical adversary or one with authorized USB fastboot access to the device could break the secure/verified boot mechanism, allowing him to gain unrestricted root privileges, and completely own the user space by loading a tampered or malicious  image,” wrote Hay.

Despite the fact the vulnerability had been patched for the Nexus 6, Hay said the Moto G4 and G5 were still vulnerable to the same kernel command line injection flaw.

“In the previous blog post, we suggested that CVE-2016-10277 could affect other Motorola devices. After receiving a few reports on Twitter that this was indeed the case we acquired a couple of Motorola devices, updated to the latest available build we received over-the-air,” the researcher wrote on Wednesday.

Motorola told Threatpost via a statement that, “A patch will begin rolling out for Moto G5 within the next week and will continue until all variants are updated. The patch for Moto G4 is planned to start deployment at the end of the month and will continue until all variants are updated.”

Researchers were able to trigger the vulnerability on the Moto devices by abusing the Motorola bootloader download functionality in order to swap in their own malicious initramfs (initial RAM file system) at a known physical address, named SCRATCH_ADDR.

“We can inject a parameter, named initrd, which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address,” the researcher wrote. Next, using malicious initramfs to load into a customized boot process they were able to gain root shell access to the device.

Hay’s research into the Motorola bootloaders began in January when he identified a high-severity vulnerability (CVE-2016-8467) impacting Nexus 6/6P handsets. That separate vulnerability allowed attackers to change the bootmode of the device, giving access to hidden USB interfaces. Google fixed the issue by hardening the bootloader and restricting it from loading custom bootmodes.

“Just before Google released the patch, we had discovered a way to bypass it on Nexus 6,” Hay said in May of the second CVE-2016-10277 vulnerability.

In an interview with Hay by Threatpost he said, “Yes, they are both bootloader vulnerabilities. The CVE-2016-10277 can be considered a generalization of CVE-2016-8467, but with a much stronger impact,” he said.

(This story was updated on 2/12/2017. A comment from Motorola was added.)

Suggested articles

Discussion

  • Joe on

    From what I read it would come through a USB cable connection? Or is it over a network connection to the internet.
    • Raj on

      I would say that it could be done over the air with a fake update which could punch a hole through the kernel and leave us vulnerable for anything
      • Tom Spring on

        Raj - FYI - This vulnerability cannot be exploited over the air. I hope that answers your question.
    • Bast Hotep on

      No, it sounds like you'd need physical access to the phone.
      • Tom Spring on

        Bast - It can be exploited by a physical adversary or one with authorized-ADB/fastboot USB access to the device (such as PC malware awaiting for an ADB-authorized developer’s device to be hooked via USB). This answer comes directly from the researcher..
    • Tom Spring on

      Hi Joe.... similar to other replies to comments... The vulnerability cannot be exploited over the air. Yes, it's via a USB cable.
  • Kenneth on

    I have a Motorola Moto g4 play
  • Anonymous on

    I have Moto g4 will this effect my phone too
  • Puvin.P on

    Is this applicable for Moto g4+ also?
    • Tom Spring on

      Hi Povin.. I spoke to the researcher regarding your question and he said "We haven't verified it on the G4+ model. (A good chance is that it is indeed vulnerable)."

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.