CVE-2020-0009

Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932

En la función calc_vm_may_flags del archivo ashmem.c, hay una posible escritura arbitraria en la memoria compartida debido a una omisión de permisos. Esto podría conllevar a una escalada local de privilegios mediante la corrupción de la memoria compartida entre procesos, sin ser necesarios privilegios de ejecución adicionales. No es requerida una interacción del usuario para su explotación. Producto: Android, Versiones: kernel de Android, ID de Android: A-142938932

Android suffers from ashmem read-only bypass vulnerabilities via remap_file_pages() and ASHMEM_UNPIN.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-10-17 CVE Reserved
2020-01-08 CVE Published
2020-01-14 First Exploit
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-276: Incorrect Default Permissions

CAPEC

References (5)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html	Mailing List

URL	Date	SRC
https://www.exploit-db.com/exploits/47921	2020-01-14

URL	Date	SRC
http://packetstormsecurity.com/files/155903/Android-ashmem-Read-Only-Bypasses.html	2022-10-14

URL	Date	SRC
https://source.android.com/security/bulletin/2020-01-01	2022-10-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				-		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected