← back
CVE-2011-1823

CVE-2011-1823

CVSS 7.8 HIGHEPSS 41.6%● KEVCWE-190
In short

The Android volume manager trusts untrusted network messages without proper validation, allowing local attackers to execute code as root by sending a specially crafted message that crashes the system in a controlled way.

Technical detail

A signed integer overflow vulnerability in DirectVolume::handlePartitionAdded fails to validate negative index values from PF_NETLINK messages, enabling local privilege escalation through heap memory corruption. Exploitation requires local access to send crafted netlink packets, resulting in arbitrary code execution with root privileges.

Summary generated and translated by AI from the official description.
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://androidcommunity.com/gingerbreak-root-for-gingerbread-app-20110421/http://android.git.kernel.org/?p=platform/system/core.git%3Ba=commit%3Bh=b620a0b1c7ae486e979826200e8e441605b0a5d6http://android.git.kernel.org/?p=platform/system/netd.git%3Ba=commit%3Bh=79b579c92afc08ab12c0a5788d61f2dd2934836fhttp://android.git.kernel.org/?p=platform/system/vold.git%3Ba=commit%3Bh=c51920c82463b240e2be0430849837d6fdc5352ehttp://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.htmlhttp://forum.xda-developers.com/showthread.php?t=1044765https://exchange.xforce.ibmcloud.com/vulnerabilities/67977https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-1823http://www.androidpolice.com/2011/05/03/google-patches-gingerbreak-exploit-but-dont-worry-we-still-have-root-for-now/http://xorl.wordpress.com/2011/04/28/android-vold-mpartminors-signedness-issue/