Exploits for two patched Android privilege escalation vulnerabilities were published today by security company Zimperium. These are the first publicly released submissions from its N-Days Exploit Acquisition Program, which began in February and had among its stated goals to encourage researchers to develop proof-of-concept exploits that would force carriers and handset makers to improve Android patch delivery.
The vulnerabilities were patched a year ago and were in the NVIDIA Video Driver and the MSM Thermal Driver; they affect Android 6.0 and earlier devices.
“The main reason we are doing this is because most Android phones are not updated and are vulnerable,” Zimperium researcher Nicolas Trippar said. “We are pushing the carriers and vendors so they will start patching vulnerabilities that are public.”
Zimperium published exploit code today and said it plans to publish exploits going forward on a monthly basis.
“If an exploit is available, [carriers and vendors] really move more quickly about updates,” Trippar said. “Publishing exploits is the only way that the vendors really care about vulnerabilities.”
The two elevation of privilege vulnerabilities are similar in that they would allow an attacker to write to parts of the Android kernel.
“In both of the cases, you can exploit the vulnerability to disable SELinux, which is the permission system inside Android and gain root access to the device,” Trippar said. “So this vulnerability could be chained with another vulnerability and exploit like a Stagefright. You could have the full chain to fully compromise the device.”
Kernel driver vulnerabilities have been a frequent issue in the monthly Android Security Bulletins; these two bugs were patched in April and May of last year. Google began its monthly schedule releases after the disclosure of the Stagefright vulnerability during Black Hat 2015.
Google shares its monthly updates in advance with its partners, including vendors such as Samsung, and also directly pushes updates to its Nexus devices. Most Android devices, however, are woefully out of date, and are running Android 5.1 or earlier (Lollipop). According to the Android Developers Dashboard, 31 percent of devices are on Android 6.0 (Marshmallow) and fewer than 5 percent are running 7.0 (Nougat).
“The main problem is that each vendor using Android has their own fork of the kernel code. Google publishes updates, and until the update is published to other devices, it takes a really long time,” Trippar said “There are some devices that won’t have any more updates and some people are still using it. There are some companies that are publishing updates all the time, but that’s not really the normal way.”
Unlike Apple, which manages one update for one version of the operating system, patching is much less complicated. The Android ecosystem is quite fractured, with each vendor responsible for updating its devices.
Zimperium founder Zuk Avraham told Threatpost at the outset of the N-Day program that exploits for iOS 8 and later, and Android 4.0 and later, would be eligible for the program and payouts from a pool of $1.5 million. Exploits from the program will be first delivered to Zimperium partners and members of its Zimperium Handset Alliance, which includes some large mobile manufacturers such as Samsung and BlackBerry.
“Right now N-days are worth zero,” Avraham said at the time. “We are going to help create value for vulnerabilities that sell for zero and make them worth more than that.”