Nothing Tech Nothing OS Privilege Escalation Vulnerability in NtBpfService Component

A privilege escalation vulnerability has been identified in Nothing Tech Nothing OS version 2.6. The issue arises in the NtBpfService component, which is part of the pre-installed, hidden app 'com.nothing.bpf'. This service, exposed through the Android Binder IPC mechanism, allows local attackers to send shell commands that are executed as root by a privileged daemon called 'bpfloader'. The vulnerability exists because the service does not properly sanitize input before passing it to the daemon, creating an opportunity for shell injection.

Impact

Exploitation of this vulnerability allows local attackers to execute arbitrary shell commands as root, using the bpfloader daemon. While this could potentially lead to broader privilege escalation, the injected commands are initially confined to a restricted SELinux context that limits access to the filesystem.

Reproduction

The vulnerability can be reproduced by creating a malicious app that interacts with the NtBpfService. The app can send commands through the service, which are then executed as root by the bpfloader daemon. This can be done by recreating the AIDL interface of the service and using the generated client stub to send crafted messages that exploit the lack of input sanitization.

Remediation

Users can update to Nothing OS 2.6 hotfix 2 to address this vulnerability. This update includes a permission requirement for the NtBpfService, preventing unauthorized apps from accessing it. However, some semi-privileged apps may still be able to exploit the vulnerability, so caution is advised.