CVE-2016-10225 : The sunxi-debug driver in Allwinner 3.4 legacy kernel for H3, A83T and H8 devices allows local users to gain root privil

The sunxi-debug driver in Allwinner 3.4 legacy kernel for H3, A83T and H8 devices allows local users to gain root privileges by sending "rootmydevice" to /proc/sunxi_debug/sunxi_debug.

Published 2017-03-27 17:59:00

Updated 2021-04-21 19:40:47

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2016-10225

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 19 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2016-10225

Allwinner 3.4 Legacy Kernel Local Privilege Escalation

Disclosure Date: 2016-04-30

First seen: 2020-04-26

exploit/multi/local/allwinner_backdoor

This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4. Vulnerable OS: all OS images available for Orange Pis, any for FriendlyA

More information

CVSS scores for CVE-2016-10225

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2016-10225

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-10225

https://forum.armbian.com/index.php?/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/

Security Alert for Allwinner sun8i (H3/A83T/H8) - Allwinner H2 & H3 - Armbian forum
Mailing List;Third Party Advisory
https://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390

#linux-sunxi on 2016-04-29 — irc logs at whitequark.org
Issue Tracking;Third Party Advisory
https://www.rapid7.com/db/modules/exploit/multi/local/allwinner_backdoor

Allwinner 3.4 Legacy Kernel Local Privilege Escalation
Exploit;Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/15/9

oss-security - Re: CVE request: sunxi-debug (root privilege escalation in Allwinner kernel)
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/05/16

oss-security - CVE request: sunxi-debug (root privilege escalation in Allwinner kernel)
Mailing List;Patch;Third Party Advisory
http://www.securityfocus.com/bid/93442

Allwinner Linux kernel 'sunxi-debug.c' Local Privilege Escalation Vulnerability
Third Party Advisory;VDB Entry

Products affected by CVE-2016-10225

Allwinner » Linux-3.4-sunxi » Version: N/A
cpe:2.3:o:allwinner:linux-3.4-sunxi:-:*:*:*:*:*:*:*
Matching versions
When used together with: Allwinner » A83t » Version: N/A
When used together with: Allwinner » H3 » Version: N/A
When used together with: Allwinner » H8 » Version: N/A