Late last month Google Project Zero researcher Maddie Stone detailed a zero-day Android privilege escalation vulnerability (CVE-2019-2215) and revealed that it is actively being exploited in attacks in the wild. She also provided PoC code that could help researchers check which Android-based devices are vulnerable and which are not.
One of those has decided to go further.
Achieving “root” through a malicious app
“The base PoC left us with a full kernel read/write primitive, essentially game over for the systems’ security, but left achieving root as an exercise for the reader,” said Grant Hernandez, a Ph.D student at the University of Florida and a Research Assistant with the Florida Institute of Cyber Security.
He took it upon himself to find a way to achieve “root” on a vulnerable device, to bypass the various protections Android employs against malicious applications, and to see whether the exploit could be made to work from an application context.
As it turns out, it could: he created Qu1ckR00t, a PoC one-click rooting application, the code for which he published on GitHub.
But, he warned, the app has only been tested on a Pixel 2 and will probably not work on other devices/kernel versions, leading most probably to a crash or data loss. “It should not be used on your personal device with valuable userdata,” he advised.
CVE-2019-2215 was initially discovered and patched in late 2017 in v4.14 of the Linux kernel and in Android versions 3.18, 4.4, and 4.9, but the fix was apparently never propagated to later Android versions.
That’s why certain of Pixel, Huawei, Oppo, Moto, LG and Samsung mobile devices running Android 8 through 10 featured it.
CVE-2019-2215 is believed to be exploited by lawful surveillance software by NSO Group.
Google produced a fix a week after Stone shared the info and the PoC, and delivered it as part of the October 2019 Android security patches.