disclosures

CVEs

• "Get Super Serial" CVE-2015-2231 & CVE-2015-2232

  Chain from an application with internet permissions to a system uid, then from a system uid to root. This is mainly due to an extremely weak firmware upgrade system calls "ADUPS" which has failed to have any type of response. While the two specific CVEs directly correlate to a few Blu phones, it appears to be used by many other lower-end phones.

• "HTC Peap" CVE-2015-5525, CVE-2015-5526 & CVE-2015-5527

  Multiple ways to access a backdoor which allows an unprivledged application the ability to run root commands. Discussed at the DEFCON23 Red Naga workshop on Offensive and Defensive Android Reverse Engineering.

• "Qualcomm System Agent", No CVEs assigned

  Multiple vulnerabilities in an application that was never meant to be shipped on production devices. Discussed at the DEFCON23 Red Naga workshop on Offensive and Defensive Android Reverse Engineering.

• "Blackphone 1 modem take over", CVE-2015-6841

  Allows any local attacker to take over the modem, inject commands, cause denial of service and other creepy things. Vendor Post, release notes.

• "RESERVED", RED-2016-0029 / CVE-2016-3862

  Triaged by Google as Critical/Severe. RCE seems not possible on 4.2+ devices due to mitigations in place, however remote DOS/crash still available without interaction. More details and CVE after fix is released.

• "RESERVED", RED-2016-0030 / CVE-2016-????

  Spot reserved for arbitraty (blind) system command execution on newly (7/2016) released Android 6 device. Details and CVE listed after vendor fix and assigned.