OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X, OnePlus One
All OnePlus OxygenOS & HydrogenOS OTAs
OnePlus OxygenOS & HydrogenOS are vulnerable to downgrade attacks. This is due to lenient updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s (see below the 4.0.0 updater-script). Downgrades can occur even on locked bootloaders & without triggering a factory reset, allowing for exploitation of now-patched vulnerabilities with access to user data. This vulnerability can be exploited by a Man-in-the-Middle (MiTM) attacker targeting the update process. This is possible because the update transaction does not occur over TLS. In addition, a physical attacker can reboot the phone into recovery, and then use adb sideload to push the OTA (on OnePlus 3/3T ‘Secure Start-up’ must be off).
getprop("ro.display.series") == "OnePlus 3T" || abort("E3004: This package is for \"OnePlus 3T\" devices; this is a \"" + getprop("ro.display.series") + "\".");
show_progress(0.750000, 0);
ui_print("Patching system image unconditionally...");
block_image_update("/dev/block/bootdevice/by-name/system", package_extract_file("system.transfer.list"), "system.new.dat", "system.patch.dat") ||
abort("E1001: Failed to update system image.");
show_progress(0.050000, 10);
[...]
PoC can be found here.