UNISOC BootROM Privilege Escalation Vulnerability

A vulnerability has been identified in the BootROM of UNISOC chipsets used in Android devices, allowing for local privilege escalation. This issue arises from an unchecked write address in the recovery mode, which can be exploited by an adversary with physical access to the device. The vulnerability could be used to overwrite function pointers or return addresses, enabling the execution of arbitrary code with BootROM privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized access to elevated privileges within the BootROM, potentially allowing for persistent modifications to the device's boot process.

Reproduction

The vulnerability can be reproduced by sending a crafted payload over USB or UART that exploits the lack of validation on the write address and size. This can be done using the recovery mode, which is accessible by holding a specific button during power-up.