Source: security@oppo.com
In functions charging_limit_current_write and charging_limit_time_write in /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_charger.c have not checked the parameters, which causes a vulnerability.
Unvalidated input in the Oppo charger driver allows for arbitrary modification of charging parameters, potentially leading to denial-of-service (DoS) or device compromise. Attackers can exploit this vulnerability by sending crafted commands to the charger driver, bypassing crucial input validation checks. This could result in overcharging, battery damage, or other malicious outcomes.
Step 1: Triggering the Vulnerability: An attacker needs to interact with the vulnerable functions charging_limit_current_write or charging_limit_time_write within the oppo_charger.c driver. This typically involves sending a specific command or data packet to the device's charging subsystem.
Step 2: Crafting the Payload: The attacker crafts a malicious payload containing invalid or out-of-bounds values for either the charging current or charging time parameters. For example, a very high current value could be used to attempt to damage the battery or cause a system crash.
Step 3: Sending the Payload: The attacker sends the crafted payload to the device. This could be done through a USB connection, a custom application, or potentially through a network interface if the device's charging subsystem is accessible remotely.
Step 4: Exploitation: The vulnerable functions receive the malicious parameters. Since there is no input validation, the functions directly use the attacker-supplied values. This could lead to the charger hardware attempting to operate outside of its safe operating parameters.
Step 5: Impact: The consequences of the exploitation can vary. It could lead to battery damage, device instability, or a denial-of-service condition, rendering the device unusable.
The vulnerability resides in the charging_limit_current_write and charging_limit_time_write functions within the oppo_charger.c file. These functions are responsible for setting the charging current and charging time limits, respectively. The root cause is the absence of input validation on the parameters passed to these functions. Specifically, the code does not check the values of the input parameters before using them. This lack of validation allows an attacker to provide malicious values, such as extremely high current values or negative time values. This could lead to a variety of issues, including battery damage due to overcurrent, system instability, or even a denial-of-service condition. The functions likely directly write these unchecked values to hardware registers or memory locations controlling the charging process. Without proper bounds checking, these writes could potentially overwrite critical data or cause the charger hardware to operate outside of its safe operating parameters.
While no specific APT groups are directly linked to this vulnerability, the nature of the flaw (potential for DoS and device damage) makes it attractive to various threat actors. This type of vulnerability could be exploited by nation-state actors for espionage or sabotage, or by financially motivated criminals for device bricking or extortion. CISA KEV status: Not Applicable (as no known active exploitation).
Monitor system logs for unusual activity related to the charging subsystem, such as unexpected charging current or time values.
Analyze network traffic for suspicious commands or data packets sent to the device's charging interface.
Implement file integrity monitoring on the oppo_charger.c file to detect unauthorized modifications.
Monitor battery health and charging behavior for anomalies, such as rapid discharge or overheating.
Implement input validation within the charging_limit_current_write and charging_limit_time_write functions. This should include checks for valid ranges of charging current and charging time values.
Apply the vendor's security patches as soon as they become available.
Restrict access to the charging subsystem to authorized processes and users.
Implement a defense-in-depth strategy, including intrusion detection and prevention systems (IDS/IPS) to monitor for and block malicious activity.
Regularly update the device's firmware and operating system to patch any other potential vulnerabilities.