Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-14040 PoC — 多款Qualcomm产品资源管理错误漏洞

Source
https://github.com/tamirzb/CVE-2019-14040
Associated Vulnerability
Title:多款Qualcomm产品资源管理错误漏洞 (CVE-2019-14040)
Description:Using memory after being freed in qsee due to wrong implementation can lead to unexpected behavior such as execution of unknown code in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8096AU, APQ8098, MDM9150, MDM9206, MDM9207C, MDM9607, MDM9640, MDM9650, MSM8905, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996AU, MSM8998, QCS605, QM215, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM845, SDX20, SDX24, SM8150, SXR1130
Description
PoC code for CVE-2019-14040
Readme
# CVE-2019-14040

Proof-of-concept code for CVE-2019-14040

More details about the vulnerability are available [in the blog post](https://blog.zimperium.com/multiple-kernel-vulnerabilities-affecting-all-qualcomm-devices).

If you have any questions, you are welcome to DM me on Twitter ([@tamir_zb](https://twitter.com/tamir_zb)).


## Build & Run

In order to build, run Android NDK's `ndk-build`.

In order to run the PoC, run the binary using the following command:

    LD_PRELOAD=libQSEEComAPI.so ./qseecom_uaf

Make sure to run it from a context where `/dev/qseecom` is accessible.

## Result

Running this on a Pixel 3 running Android 9 causes the kernel to panic. In
theory this PoC should work on other Android devices and versions without any
modifications but I have not tested it.
File Snapshot

 [4.0K]  /data/pocs/769b19408b031530674817a5b7fb51aa06f48fc1
├── [4.0K]  jni
│   ├── [ 263]  Android.mk
│   ├── [6.3K]  ion.h
│   ├── [6.0K]  msm_ion.h
│   ├── [ 10K]  QSEEComAPI.h
│   ├── [ 11K]  qseecom.h
│   └── [5.9K]  qseecom_uaf.c
├── [ 34K]  LICENSE
└── [ 793]  README.md

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →