Maintainers of the Android Open Source Project (AOSP) failed to address a privilege escalation bug in the Android mobile OS that was reported six months ago.

Experts disclosed details of a zero-day vulnerability that affects the Android mobile operating system. The high-severity zero-day issue resides in the driver for the Video For Linux 2 (V4L2) interface.

The vulnerability was reported by Lance Jiang and Moony Li of TrendMicro Research through the Zero Day Initiative (ZDI) program.

“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the security advisory published by ZDI.

“The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”

Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.

“The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”

The vulnerability resides in the way the Video for Linux (V4L2) driver handles input data, it could be exploited by an attacker to elevate permissions to kernel level.

Trend Micro published details of the issue after Google published the September 2019 Android Security Bulletin, that did not fix the flaw.

Experts pointed out that the attackers need local access in order to exploit the vulnerability, this means they should have already compromised the device. The issue could be chained with other vulnerabilities in order to take full control of a device, post the initial infection.

Jiang and Li reported the issue to Google in March.

Experts warn of the severity of privilege escalation vulnerabilities that could be used by attackers to gain root access on the devices and carry out many malicious activities.

At the time of writing, there is no workaround for this vulnerability.

Below the timeline for this issue:

03/13/19 – ZDI reported a vulnerability to the vendor03/13/19 – The vendor acknowledged and requested further information03/25/19 – ZDI provided the requested details06/28/19 – The vendor confirmed the vulnerability would be fixed, but did not provide an estimated time frame07/12/19 – ZDI requested an estimated date for the fix07/12/19 – The vendor indicated they could not specify a date08/21/19 – ZDI requested an update08/26/19 – The vendor indicated there were no further updates08/28/19 – ZDI notified the vendor of the intention to disclose the report as a 0-day advisory 2019-09-04 – Coordinated public release of advisory2019-09-04 – Advisory Updated

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Android, zero-day)

The post Zero-day vulnerability in Android OS yet to be patched appeared first on Security Affairs.