OnePlus 3T, OnePlus 3
OxygenOS 4.0.2 and below.
Upgrade to OxygenOS 4.0.3 or later.
When a charger is connected to a powered off OnePlus 3/3T device, the platform starts adbd with ADB authorization disabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further exploit other vulnerabilities and/or exfiltrate information from the device. For example, the malicious charger can reboot the device into the bootloader mode (fastboot) in order to exploit fastboot related vulnerabilities, as detailed in the blog post.
The following video presents how a ‘charger’ can exploit @CVE-2017-5622 & @CVE-2017-5626 for gaining a root shell, putting SELinux in permissive mode, and even executing kernel code:
The following video shows how a ‘charger’ exploits @CVE-2017-5622, @CVE-2017-5624 & @CVE-2017-5626 for replacing the system partition in order to install a privileged app. Please note that once the replacement is complete, the victim has no indication that the device has been tampered with: