Information Disclosure via AEE extension to debuggerd

  • Published: 24 Aug 2017

Information Disclosure via AEE extension to debuggerd

Share

Type

  • Information Disclosure

Severity

  • Medium

Affected products

  • Huawei Y6 Pro Dualsim

CVE Reference

  • N/A
Timeline
2017-04-05Issue reported to Huawei.
2017-08-04Huawei confirmed this issue was fixed in version TIT-L01C576B120.

Download the advisory here

Description

Huawei is a company that provides networking and telecommunications equipment. The AEE (Android Exception Enhancement) extension in the debuggerd daemon leaks sensitive information such as screenshots, the address space of any process, kernel and system logs, and other information about the current state of the system. A malicious Android application, or any other user on the device, could abuse this to disclose sensitive data or develop further attacks against the device itself.

Impact

Exploitation of this issue could allow any user to disclose sensitive information, which can then be used to develop further attacks or to steal confidential data such as screenshots or application logs.

Cause

Lack of privilege validation on the @com.mtk.aee.aed and @com.mtk.aee.aed_64 unix sockets.

Solution

This vulnerability was resolved by Huawei in version TIT-L01C576B120. More information can be found on the Huawei web page: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170804-01-smartphone-en

Technical Details

Please refer to the attached advisory.