# Exploit Title: Information Leak & RCE on Multiple Google Android Vendors - <Motorola, Sony, OnePlus> # Date: 03-08-2017 <accumulative> # Vulnerable Software : Google - Android Open Source Project (AOSP) # CVE: CVE-2017-0781,CVE-2017-0782,CVE-2017-0785 # Category: remote # Tested On: Moto G4 <Android : 7.0>, OnePlus 3T<Android : 7.0>, Xperia XZ<Android : 7.0> # Firmwares Tested: Moto G4+ (Nougat) Build Number NPJ25.93-14, Sony Xperia XZ Build Number 39.2.A.0.417, OnePlus 3/3T Software Version O2OS 170114 | OxygenOS 4.0.2 | OxygenOS 4.0.3 # # Exploit Author: 0x48piraj # # Contact #1: https://twitter.com/0x48piraj # Contact #2: piyushraj.4680@gmail.com # Contact #3: https://0x48piraj.github.io/ # # This Bug can combined with Blueborne: https://www.armis.com/blueborne/ 1. Description Manipulating Airplane mode causes automatic triggering of bluetooth. After the bluetooth is automatically activated, Blueborne can be combined to carry out RCE on the vulnerable device. This Bug can also be combined with other vulns. to compromise the device. 2. Proof of Concept # PoC: # 1. Check the Bluetooth Status, Switch off Bluetooth # 2. Turn on the Airplane mode # 3. After, loading in, Switch off Airplane mode # 4. Check Bluetooth listener, Bluetooth should be turned on automatically. P.O.C. Videos: https://youtu.be/RY-pOOdxq5Q https://youtu.be/B6LrRgXe4rM 3. Solutions: - Sony Xperia XZ : A link appears under Bluetooth, click it. Appears two options: 1> One for WiFi and 2> Other for Bluetooth named Self-Activation. Disable Self Activation. - Moto G4 / G4 Plus : Google Trusted Contact app is triggering Bluetooth. InLocation Scanning,Keep Bluetooth scanning Turned Off. or Update your device to the latest OTA UPDATE. - OnePlus T3 : *Update your device to the latest OTA UPDATE. 4.1.3 Oxygen o/s & Android version 7.1.1 Fixed the Bug. Website - (http://downloads.oneplus.net/oneplus-3/oneplus_3_oxygenos_4.1.3/) Firmware - [http://oxygenos.oneplus.net.s3.amazonaws.com/OnePlus3Oxygen_16_OTA_051_all_1704112009_eea59ef3b9144930.zip]