CVE-2016-10456

Vulnerability

In Android before the 2018-04-05 security patch level on Qualcomm Snapdragon Mobile and Wear platforms (including MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, and SDX20), the radish tool accepts an interface name as a command-line argument. If an invalid interface name is provided, the software passes a string of up to 15 characters directly to a system call, allowing arbitrary command execution [1].

Exploitation

An attacker with local ability to execute the radish binary (which may be invoked via another application or through shell access) can set an interface name containing shell metacharacters or a command of up to 15 characters. The vulnerability is triggered when radish processes that input without sufficient sanitization, causing the injected command to be executed as a system call [1]. No user interaction beyond executing the affected program is required; the attacker does not need special permissions beyond being able to run radish.

Impact

Successful exploitation allows an attacker to execute an arbitrary system call of up to 15 characters on the target device. This can lead to denial of service, information disclosure, or local privilege escalation depending on the command executed. Because the system call runs with the privileges of the calling process (which may be elevated if radish has higher permissions), the impact could extend to compromising system-level functions or user data [1].

Mitigation

The fix was included in the Android Security Bulletin dated 2018-04-05 or later security patch level on the affected Qualcomm Snapdragon platforms. Users should apply the April 2018 or later Android security update to their devices. No workarounds are documented in the available reference [1].