OxygenOS (FIX RELEASED) Serious security bleach found in OxygenOS

  1. lartsch
    Eclair Nov 21, 2018

    lartsch , Nov 21, 2018 :
    Hello everybody,

    This issue is of general interest.

    Topjohnwu, the creator of the widely known root solution Magisk, has analyzed parts of OxygenOS 9 since it was reported to break MagiskHide.

    During this process he found out that OnePlus hasn't implented the SELinux sandbox like it was introduced with Nougat, resulting in a serious security breach!
    Update: It wasn't anything about SELinux but about wrong mounting configurations in the end, as topjohnwu stated on Twitter. Still, the procfs leak is real and exposing processes which is a big security issue.
    Update: The issue is NOT limited to OxygenOS only as firstly reported.
    Update: Google has been informed and already added a new CTS check to prevent this bug from happening in the future. Oneplus and other OEMs have been informed and acknowledged the issue.
    Update: topjohnwu has released an app to check for and fix procfs leaks (fixing works only with root): https://github.com/topjohnwu/ProcGate

    Beside of that, topjohnwu has found OxygenOS to include some "optimizations" which break the isolated namespaces and processes of applications. This has not been found on any other Android Pie OS yet and is what MagiskHide depends on.


    Last edited: Nov 22, 2018

    rs1, xnutzii, ukmaddi and 4 others like this.
  2. meatandy
    Oreo Nov 21, 2018

    meatandy , Nov 21, 2018 :
    I am very certain OnePlus was contacted about this before the news went pulic.

    The1Lion and otto2 like this.
  3. Rygi3l
    Cupcake Nov 21, 2018

  4. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    Seems like a serious security issue. Is Oneplus modifying stock android code to their own convenience to run some unwanted data collection? What possible explanation could they provide now that they were caught red handed before? How is it possible that the security flaw fixed in 7.0 vanilla made it to 9.0 with Oneplus software only?

    Starcommander and 10Thirteen like this.
  5. nick31
    Eclair Nov 21, 2018

    X1517396854503 likes this.
  6. 10Thirteen
    Donut Nov 21, 2018

  7. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    Well it may be poor QC, or maybe it was done intentionally? OOS is essentially HOS modified for non-chinese market. This kind of shenanigans (data collection without user knowledge) is widespread in China, and judging from happenings in the past, Oneplus participates in it.

    otto2 likes this.
  8. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    I just ran a mount command on my 6t and proc is mounted without hidepid=2. Oneplus, wtf?

  9. David Y.
    OS Product Marketing Staff Member Nov 21, 2018

  10. MagiskSU
    Froyo Nov 21, 2018

  11. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    Since the flaw was verified on 6 with 9.0.2, I wonder if 6t with 9.0.5 has the same issue (most likely yes, miracles don't exist).

  12. Ytkuser
    Gingerbread Nov 21, 2018

    Ytkuser , Nov 21, 2018 :
    they will fix i'm sure, we have far less things in life to worry about then a cell phone company in china spying on us. I'm not in the least bit worried about it, as our own gov does it on a daily bases anyhow. But since the know about it i bet it will be fixed ASAP. i highly doubt it was intentional and more likely just a bug in the OS bugs happen nothing is perfect.

    bilal_h19 and G1542828796976 like this.
  13. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    It seems oos 9.0.6 is out - do you mind releasing poc so that we could verify that the flaw was addressed?

    The issue was present undiscovered for quite some time.. just a food for thought.

    Anyone can enlighten me how partition mount options are handled on the Android since there is no fstab?

    OnePlus, was this issue addressed in 9.0.6?
    Last edited: Nov 21, 2018

  14. lartsch
    Eclair Nov 21, 2018

    Last edited: Nov 22, 2018

  15. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    Yeah it may not be selinux but procfs is still leaking. So for example malware can get id of you keyboard process for logging or whatever else.

  16. K1ngP1n
    Ice Cream Sandwich Nov 21, 2018

  17. nick31
    Eclair Nov 21, 2018

    nick31 , Nov 21, 2018 :
    Issue is still there. No confirmation/denial from OnePlus. Proc is mounted exposing process ids.

    lartsch likes this.
  18. lartsch
    Eclair Nov 22, 2018

    lartsch , Nov 22, 2018 :
    Topjohnwu has created an app to DETECT and FIX (only root) procfs leaks!
    It works by remounting /proc correctly (either manual or automatically by a boot script).
    Seems like most OxygenOS 9 users are affected by this! Every rooted user should use this possibility.
    Link: https://github.com/topjohnwu/ProcGate

    Also, topjohnwu made a writeup on how he discovered the security issue. This is not limited to OxygenOS only!
    Link: https://bit.ly/2DRZFfk

    Last edited: Nov 22, 2018

  19. lartsch
    Eclair Nov 22, 2018

    lartsch , Nov 22, 2018 :
    Oneplus and other OEMs have already been informed about the issue. Oneplus has acknowledged it.
    Google has already implemented a new CTS check to prevent this bug from happening in the future.
    Topjohnwu also releases a fix via Magisk.

    otto2 likes this.
  20. 10Thirteen
    Donut Nov 22, 2018

    10Thirteen , Nov 22, 2018 :
    What other devices or versions are effected by this? I thought it was just a OnePlus 6 and 6t problem.
    Last edited: Nov 23, 2018