Nexus 5 <= 4.4.2 Local DoS
-
Joseph Redfern - Published: 5 Nov 2014
Nexus 5 <= 4.4.2 Local DoS
Share
Type
- Nexus 5 <= 4.4.2 Local DoS
Severity
- High
Affected products
- Nexus 5
Affected Versions
- Nexus 5 w/ Android <= 4.4.2
Vendor
Vendor Response
- Fixed in Android 4.4.3
Authors
- Joseph Redfern
CVE Reference
- N/A
Timeline
| 17/02/2014 | Reported to Google |
| 18/02/2014 | Google start investigating issue |
| 24/04/2014 | Google replied stating that a patch has been created |
| 04/06/2014 | Android 4.4.3 officially released containing patch |
| 10/07/2014 | Credited on the Android Security Acknowledgements page |
Description
The Nexus 5 comes pre-installed with a hidden network connectivity testing application. Up until Android 4.4.3, various activities contained within the application were exported, and required no permissions to launch. One of these activities caused the phone to reboot, making the device vulnerable to a Denial-of-Service attack.
Impact
On launching the com.lge.SprintHiddenMenu.sprintspec.SCRTN activity on a Nexus 5 running 4.2.2 or earlier, the device would restart.
If a malicious application that responded to the BOOT_COMPLETED broadcast receiver and sent an appropriate intent to com.lge.SprintHiddenMenu.sprintspec.SCRTN were installed, then the device could be put in a reboot loop.
Cause
The com.lge.SprintHiddenMenu.sprintspec.SCRTN activity did not require any specific permissions, allowing any it to be launched by any un-privileged application.
Interim Workaround
There are no known workarounds for this vulnerability – com.lge.SprintHiddenMenu is installed as a system package and cannot be removed on a non-rooted device. The preferred fix is to upgrade to Android 4.4.3 or greater.
Solution
The Nexus 5 with Android 4.4.3 and above requires that calling applications have the com.lge.permission.SPRINTHIDDEN permission in order to start the com.lge.SprintHiddenMenu.sprintspec.SCRTN activity.
Application Developers should check that no potentially dangerous activities are un-intentionally exported, using a tool such as drozer
Technical details
The com.lge.SprintHiddenMenu package contains tools for debugging the data connections of the Nexus 5:
Using drozer, it was possible to list the activities defined by the com.lge.SprintHiddenMenu package:
dz> run app.activity.info -a com.lge.SprintHiddenMenu Package: com.lge.SprintHiddenMenu com.lge.SprintHiddenMenu.sprintspec.RTN com.lge.SprintHiddenMenu.sprintspec.Data com.lge.SprintHiddenMenu.sprintspec.data.edit.ApnSettingsHiddenMenu Permission: com.lge.permission.SPRINTHIDDEN com.lge.SprintHiddenMenu.sprintspec.data.edit.ApnEditorHiddenMenu Permission: com.lge.permission.SPRINTHIDDEN com.lge.SprintHiddenMenu.sprintspec.Debug com.lge.SprintHiddenMenu.sprintspec.Test com.lge.SprintHiddenMenu.sprintspec.MSL com.lge.SprintHiddenMenu.sprintspec.TestCheckSPC com.lge.SprintHiddenMenu.sprintspec.SCRTN com.lge.SprintHiddenMenu.sprintspec.data.Mmsc
It was noted that when starting the com.lge.SprintHiddenMenu.sprintspec.SCRTN activity (run app.activity.start —component com.lge.SprintHiddenMenu com.lge.SprintHiddenMenu.sprintspec.SCRTN), the following dialog would appear:
Shortly after, the standard Android “Shutting Down” would be displayed, and the device would reboot. It is suggested that the SCRTN activity performs a “Carrier Reset” on the device, which causes the phone to be re-registered with a CDMA network.