CVE-2016-10277

Vulnerability

CVE-2016-10277 is an elevation of privilege vulnerability in the Motorola Android Bootloader (ABOOT). The bootloader accepts a proprietary fastboot OEM command that allows injection of a kernel command-line parameter initrd, which forces the Linux kernel to populate the initial RAM filesystem (initramfs) from a specified physical address. This affects Android devices running Kernel-3.10 or Kernel-3.18 [1][2].

Exploitation

An attacker with physical USB access to the device (or ability to send fastboot commands) can exploit this vulnerability by: (1) using the fastboot oem config command to set the initrd parameter to a known physical address (SCRATCH_ADDR), (2) using fastboot flash to upload a malicious initramfs image to that address, and (3) rebooting the device via fastboot continue. The exploit is tethered, meaning it must be re-applied after every reboot [2].

Impact

Successful exploitation grants the attacker an unconfined root shell with SELinux set to permissive mode. The attacker can execute arbitrary code within the bootloader context, potentially achieving a persistent compromise that may require reflashing the operating system to repair the device. The impact is considered critical due to the possibility of permanent device compromise [1][2].

Mitigation

Google's Android Security Bulletin for May 2017 includes a fix for this vulnerability [1]. End users should apply the OTA update from their device manufacturer. If a patch is not yet available, users can mitigate by ensuring the bootloader is locked and avoiding untrusted USB connections. No workaround exists for devices that remain unpatched [1].