CVE CyberSecurity Database News

CVE-2023-21057 - Out-of-Bounds Write Vulnerability in RohcPacketCommon (ProfSixDecomTcpSACKoption) Leads to Possible Remote Code Execution on Android

Poster -

A severe vulnerability, CVE-2023-21057, was found in the Android kernel within the RohcPacketCommon module, specifically in the function ProfSixDecomTcpSACKoption. This vulnerability allows a remote attacker to write outside the bounds of a buffer. If exploited, it could lead to remote code execution without the need for user interaction or special privileges.

Where Is This Code?

The vulnerability is in ROHC (Robust Header Compression), used by Android devices to compress network packets. In RohcPacketCommon, the method ProfSixDecomTcpSACKoption processes SACK options for TCP headers.

What Went Wrong?

Developers failed to put a bounds check on data before writing into a buffer. If an attacker sends a specially crafted packet, the method can write past the buffer's end, corrupting memory.

This "out-of-bounds write" can lead to remote code execution (RCE) — letting attackers run their own code on the device.

Below is simplified pseudocode to show the core logic

void ProfSixDecomTcpSACKoption(unsigned char *data, size_t data_len) {
    char buffer[128];
    int sack_count = data[1]; // Get SACK count from packet

    // Vulnerability: No check if sack_count * 8 is less than buffer size
    memcpy(buffer, data + 2, sack_count * 8); // 8 bytes per SACK block

    // ...further processing...
}

Problem: If sack_count is large, memcpy will overflow buffer and overwrite memory — a classic out-of-bounds write.

Attack Scenario

1. Attacker crafts a network packet with a bogus SACK count field (making it much larger than expected).

Realistic Exploit Code Snippet

Suppose you're an attacker; you might craft your network packet as follows (conceptual, not real code):

# Attacker creates malicious SACK option field
malicious_sack_count = x20   # Large enough to cause overflow (32 x 8 = 256 > 128)
tcp_options = b'\x01' + bytes([malicious_sack_count]) + b'\x90' * (malicious_sack_count * 8)

# The rest of the TCP packet...
packet = build_tcp_packet_with_options(tcp_options)

# Send packet to victim's phone over the network
send_packet_to_victim(packet)

On the device, this results in

memcpy(buffer, data + 2, x100); // 256 bytes into 128-byte buffer

Kernel and ROM developers: Audit similar buffer use in network code.

For exploit mitigation, secure kernel builds use stack canaries and similar technologies, but this bug allows full buffer overwrite and can bypass many protections.

References

- NVD - CVE-2023-21057 (May not exist yet; official advisories to be published)
- Android Security Bulletins
- About ROHC (Wikipedia)

Summary Table

| Field                | Value                                      |
|----------------------|--------------------------------------------|
| CVE ID           | CVE-2023-21057                             |
| Affected Product | Android Kernel (ROHC)                      |
| Affected Function| ProfSixDecomTcpSACKoption (RohcPacketCommon)|
| Impact           | Remote Code Execution (RCE)                |
| Privileges Needed| None                                       |
| User Interaction | Not needed                                 |
| Android ID       | A-244450646                                |

Conclusion

CVE-2023-21057 is a critical vulnerability in Android’s kernel, making millions of devices susceptible to full device compromise just via network exposure. It is a reminder of the importance of strict input validation, especially in kernel and network code. Update immediately and monitor the Android Security Bulletins for patches and mitigation advice.

*Stay safe, and keep your devices up to date!*

*This article was written exclusively for educational and informational purposes. Please always act responsibly and within the bounds of the law.*

Timeline

Published on: 03/24/2023 20:15:00 UTC
Last modified on: 03/30/2023 16:50:00 UTC