<--

OnePlus OTA Lack of TLS Vulnerability

Aleph Research Advisory

Identifier

CVE-2016-10370

Severity

High

Technical Details

OxygenOS & HydrogenOS send the following JSON request to http://otac.h2os.com/post/Query_Update or to http://i.ota.coloros.com/post/Query_Update in order to check if a new OTA is available:

{
    "beta": "0",
    "imei": "<IMEI>",
    "isOnePlus": "1",
    "language": "en",
    "mobile": "ONEPLUS A3010",
    "mode": "0",
    "ota_version": "<CURRENT_VERSION>",
    "type": "1",
    "version": "1"
}

For example, on a OnePlus 3T device running OxygenOS 4.1.1 this results in the following response, announcing that a 4.1.3 OTA is available:

{
    "active_url": "http://otafsc1.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "description": "https://otafsc.h2os.com/html/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011_version_EN_1492072442240.html",
    "down_url": "http://otafsc.h2os.com/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "extract": "#OS Version: OnePlus3TOxygen_28_170411\n##WHAT'S NEW\n\\\n\u2022 Upgraded Android 7.1.1 \n\\\n\u2022 Added expanded screenshots \n\\\n\u2022 Improved picture taking of moving objects\n  with blur reduction \n\\\n\u2022
Improved video stability when recording\n\\\n\u2022 Improved WiFI connectivity \u00a0\n\\\n\u2022 Improved bluetooth connectivity \n\\\n\u2022 Fixed Instagram swiping bug\n\\\n\u2022 Fixed hardware
buttons\u00a0malfunction\u00a0bug\n\\\n\u2022 Increased system stability\n\\\n\u2022 General bug fixes\n  [www.oneplus.net](http://www.oneplus.net/)",
    "new_version": "OnePlus3TOxygen_28.A.51_GLO_051_1704112011",
    "patchFilePath": "/patch/amazone2/GLO/OnePlus3TOxygen/OnePlus3TOxygen_28.A.51_GLO_051_1704112011/OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "patch_md5": "031507863135b7008c2651ea461d0e9e",
    "patch_name": "OnePlus3TOxygen_28_OTA_051_all_1704112011_d6f79637e1c.zip",
    "patch_size": "1461187808",
    "recommend": "100",
    "share": "\u8bf7\u7528\u82f1\u8bed\u8bbe\u7f6e\u5206\u4eab\u5185\u5bb9",
    "type": "1",
    "version_name": "OnePlus3TOxygen_28_1704112011",
    "wipe": "0"
}

Man-in-the-Middle attackers can therefore spoof this response in order to exploit @CVE-2017-5948, @CVE-2017-8850 & @CVE-2017-8851.

PoC can be found here.

Timeline

  • 08-May-17
    : Added as
  • 26-Jan-17
    : Reported
  • 08-May-17
    : Cve-request
  • 08-May-17
    : CVE-2016-10370 assigned
  • 09-Apr-17
    : Deadline-extension-offer: no reply
  • 26-Apr-17
    : Deadline
  • 10-May-17
    : Deadline-extension
  • 11-May-17
    : Public disclosure

Credit

  • sagik of Aleph Research, HCL Software