The following security vulnerabilities have been identified in QuIC-authored init scripts.
During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges.
Access Vector: local
Security Risk: medium
Vulnerability: CWE-61 (unix symbolic link following)
All Android releases from CAF using Linux kernel from the following heads:
We advise customers to apply the following patches:
init shell scripts:
The changes provided by this advisory modify the toolchain commands chown and chown to introduce a new command line option to change the behavior of these commands to not follow symlinks. All QuIC-authored init shell scripts have been changed to make use of this option.
Qualcomm Innovation Center, Inc. (QuIC) thanks Jon Sawyer for reporting the related issues and working with QuIC to help improve Android device security.