OnePlus Nord 2 has a vulnerability that grants root shell access within minutes on a locked bootloader, without wiping data

Many of us here at XDA-Developers started browsing forums for the first time when looking to root our Android devices. Back then, people often relied on “one-click root” methods: applications or scripts containing payloads that target known elevation of privilege vulnerabilities of existing firmware to gain root access. With improvements and changes to encryption, permissions, and privacy management, modern Android devices are relatively immune to these attack vectors, but there will always be opportunities for exploits and vulnerabilities. .

OnePlus may have cemented its name among the top Android OEMs, but its phones are no stranger to security holes. This time around, the company has left a rather interesting (read: disturbing) vulnerability unpatched on the OnePlus Nord 2 since its release. Although exploiting the vulnerability requires physical access to the device, the attacker can effectively get unrestricted root shell before the user can even enter their credentials. Notably, the new Pac-Man edition of the North 2 is also affected.

Background

Nowadays when we talk about having root access on Android smartphone, people usually think of fixing the stock boot image with Magisk first and then flashing the fixed image to the target device after unlocking. bootloader. In this way, the end user can have supervised access to the “su” binary through a management application. There are a few other experimental approaches, but they seldom combine as many common uses.

As far as pre-production goes, however, the storyline is entirely different. When preparing the firmware for a device, engineers should enable various logging settings, including root access. Even on a userdebug to build, the Android Debug Bridge daemon (adbd) runs as root, so that one can have privileged access to the shell for debugging purposes. When the firmware is ready to ship, all of these debugging settings should be disabled before deploying it.

But what if you forget to do it? We will see, because the official versions of OxygenOS for the OnePlus Nord 2 have such a flaw.

OnePlus Nord 2 – Root Shell Vulnerability

Some OEMs like Samsung offer sideloading update packages in their stock retrieval on retail devices. In this case, the adbd binary runs with considerably elevated privilege when sideloading, but it quits as soon as the update process is complete. Other than that, no ADB access is allowed in an OEM provided recovery environment.

OnePlus no longer allows users to flash an update ZIP package via its stock retrieval via ADB sideloading. Assuming everything else is configured as it should, the recovery environment for a standard OnePlus device should be safe from attackers delivering any kind of payload using ADB. Unfortunately, not everything goes as planned in the case of the OnePlus Nord 2.

As it turns out, anyone can create an Android debugging shell with root privilege in the OnePlus Nord 2 recovery environment. One of the critical debugging settings has apparently made its way to production versions, leading to this issue.

Exploit the flaw on the OnePlus Nord 2

All you need to do is restart the OnePlus Nord 2 in recovery mode. An attacker can take the device and use a simple combo of hardware buttons to force it into recovery mode. In fact, there is no need to access the actual recovery menu, as the vulnerable section comes before that. Credit goes to senior member of XDA AndroPlus for point out the existence of this bug dates back to October 2021.

1. When the phone is off, press the volume and power buttons simultaneously until you see the OnePlus logo with a tiny “RECOVERY MODE” banner in the lower left corner of the screen.
   
2. Then you should see the language selection screen. No need to go ahead, as we can initiate ADB access directly from here.
   
3. Now connect the phone to a PC (or Mac) using the USB cable. If you are using Windows, you may see a new Android USB debugging interface appear in Device Manager. You may also need to install an appropriate Android USB driver before Windows can recognize the new device. Linux and macOS users, on the other hand, can use the lsusb command to detect the presence of the new hardware interface.
   
4. Since the latest version of ADB and Fastboot utilities is already installed on your PC / Mac, launch a Command Prompt / PowerShell / Terminal instance and run the following command:

   adb devices

   It should list the Nord 2 in recovery mode. This is also particularly interesting, as the standard ADB authorization prompt is not needed here. You may get an “unauthorized device” error, but clearing the existing ADB RSA key database from the host PC and restarting the ADB server should eventually allow you to allow it.

5. Now educate adbd to run as root:

   adb root

   This command can take a long time and you will probably get a timeout error. Nevertheless, now adbd should be run as root.
   

6. Finally, check the shell privilege level using the following command:

   adb shell whoami

   

The extent of the fault

The potential abuses of this security hole are frightening. With a successful attack on the OnePlus Nord 2, an attacker can empty all partitions on the device. Therefore, the entire data partition, including files stored in private data directories that are generally inaccessible to applications, are accessible to attacker. In case the data partition is encrypted (because the user has set a PIN or password), the dump could still be useful for forensic analysis.

Not only that, you can push an executable to /data/local/tmp and run it from there. This is a classic attack vector, which can be useful for chain loading another exploit. In addition, as you can now call the setprop utility as root to change various prop values, you can technically hijack some of the OEM-specific privileged variables. Last but not least, even if you haven’t unlocked the developer options, the phone will automatically ask you for USB debugging access after invoking ADB during recovery and restarting in the standard Android environment, which means the The scope of the vulnerability is not limited to the single recovery section only.

Note that you cannot install APK files using ADB in the recovery environment because the Package Manager utility is not accessible there.

How to check if your OnePlus Nord 2 is affected? (Hint: it is)

As mentioned before, you can exploit this vulnerability on both the regular and special Pac-Man edition of the OnePlus Nord 2. In a nutshell, if you enter a root shell (you will know when the shell symbol changes from $ To #), then you will know that the fault is present.

We managed to gain root shell access on the latest Indian and European public firmware OxygenOS for the device which means every OnePlus Nord 2 unit is vulnerable at the time of writing this article.

And after?

We will follow up on this matter as more information becomes available. OnePlus provided the following statement on the matter:

“We take privacy and security very seriously. We are prioritizing this issue and will share an update as soon as we have more information.“

While this all sounds scary, keep in mind that an attacker will still need to physically access the phone in order to gain access to the root shell. Until OnePlus rolls out an update that fixes the vulnerability, try to keep your OnePlus Nord 2 away from strangers. Although we have not encountered any malicious use cases, such a possibility cannot be ruled out as the vulnerability has been in the wild for at least 2 months now.