viaForensics mobile security engineer David Weinstein (@insitusec) has discovered a flaw in the Galaxy Nexus which enables an app with no privileges to reboot the device. While this issue currently enables a local denial of service attack, further analysis is required to determine the full impact.
Initial research uncovered the flaw on the Galaxy Nexus CDMA device, and coordination with security researchers @thuxnder and viaForensics analyst Marco Grassi (@marcograss) confirmed similar flaws exist with other world-readable files on the Nexus 7 and the Galaxy Nexus GSM device.
More generally the flaw is present on devices with debugfs enabled and which have certain debug world-readable files. Weinstein summarized the issue as follows:
“Right now, we can easily create a DoS attack since debugfs is enabled with key files world readable. However, the complexity required in kernel space to support the debugfs backend is significant and creates a large attack surface which may lead to more serious vulnerabilities.”
We have posted a POC Android apk (link below) to test flaws on a wider array of devices.
viaForensics (@viaforensics) has reported the flaw to Google and is coordinating with other researchers. Further updates on this and related flaws will be posted here.
Android POC App: AndroidReboot.apk
SHA256 = bc9acaddf83ebb02b55679f7aaf23fbf0cbb988ea904ac17d7a1064758d4591d
Galaxy Nexus CDMA
$ adb shell cat /sys/kernel/debug/usb/ehci/ehci-omap.0/registers