Share
## https://sploitus.com/exploit?id=2C31F084-3E15-5EF8-A10B-FE0CC3AFFC15
# Analysis of Preloader Vulnerabilities in MediaTek MT8365 (MT8168)

## Targets

- SoC: MediaTek MT8365 (MT8168 series)
- Component: Preloader (first-stage bootloader)
- Source path: `MT8365_Q0_Ayla_bsp/vendor/mediatek/proprietary/bootable/bootloader/preloader/`

## List of Analyzed Vulnerabilities

| CVE | Type | CWE | Attack Vector | Patch ID |
|-----|--------|-----|--------------|----------|
| [CVE-2022-26468](./CVE-2022-26468/exploit_analysis.md) | USB OOB Write | CWE-787 | USB physical connection | ALPS07168125 |
| [CVE-2022-20060](./CVE-2022-20060/exploit_analysis.md) | Authentication bypass | CWE-1196 | USB physical connection | N/A |
| [CVE-2022-20059](./CVE-2022-20059/exploit_analysis.md) | USB OOB Write | CWE-787 | USB physical connection | ALPS07025588 |
| [CVE-2022-20074](./CVE-2022-20074/exploit_analysis.md) | Partition OOB R/W | CWE-125/787 | Storage corruption | ALPS06183301 |

## Key Vulnerabilities Identified by Static Analysis

### USB Download-Related Vulnerabilities (CVE-2022-26468, CVE-2022-20059, CVE-2022-20060)

```
handshake_usb.c:usb_listen() β†’ usbdl_handler()
 β”œβ”€β”€ download.c:usbdl_write16/32() β†’ sec_region_check() (Bypassed)
 β”œβ”€β”€ download.c:usbdl_read16/32() β†’ sec_region_check() (Bypassed)
 β”œβ”€β”€ download.c:usbdl_send_da() β†’ usbdl_verify_da() (Authentication bypass)
 β”‚ β†’ usbdl_get_data() (OOB Write)
 └── download.c:usbdl_jump_da() β†’ bldr_jump() (Allowing arbitrary code execution)
```

### Partition Analysis-Related Vulnerabilities (CVE-2022-20074)

```
partition.c:part_load()
 β”œβ”€β”€ blkdev_read(header) β†’ get_part_info() (No validation for maddr/dsize)
 β”œβ”€β”€ load_addr_check() (Limited check, bypassable)
 └── blkdev_read(payload) (OOB Read/Write)
```

```
part_common.c:part_init()
 └── read_gpt() (Corrupted GPT data without validation)
```

```
sec.c:sec_lib_init()
 β”œβ”€β”€ sec_cfg_load() (OOB Read possible)
 └── sec_cfg_save() (OOB Write possible)
```

### Security Policy-Related Vulnerabilities (CVE-2022-20060)

```
sec_policy.c:

β”œβ”€β”€ get_vfy_policy() β†’ get_sec_policy() β†’ get_sec_state() 
 β”‚ (Default fallback when state retrieval fails) 
 β”œβ”€β”€ get_dl_policy() (Reference for download) 
 └── get_policy_entry_idx() (Name-based strcmp, length inconsistency) 
 
## Key Structures and Variables 
| Symbol | File | Description | 
|---------|-------|----------| 
| g_ROM_INFO | sec_rom_info.c:93 | Static data structure for security configuration | 
| g_dram_buf | dram_buffer.h (external) | DRAM buffer structure (including partition information) | 
| g_policy_map[] | sec_policy.c:9 | Security policy map per partition | 
| g_da_verified | download.c:79 | DA authentication flag (operable) | 
| g_meta_com_type | (external) | META/USB communication type settings | 
 
## Possibilities of Attack Paths 
```
Physical access β†’ USB bootloader mode 
 β”œβ”€β”€ CVE-2022-20059: Memory R/W privilege gain 
 β”‚ β”œβ”€β”€ Security flag rewriting 
 β”‚ β”œβ”€β”€ Lock state falsification 
 β”‚ └── eMMC area targeting β†’ Storage corruption 
 β”‚ └── CVE-2022-20074: Permanent bootkit establishment 
 └── CVE-2022-20060: DA authentication bypass 
 β”œβ”€β”€ Unsigned DA execution β†’ Arbitrary code execution 
 └── eMMC corruption β†’ CVE-2022-20074 and chain of events 
 
## References 
- [MediaTek September 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/September-2022) 
- [MediaTek March 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/March-2022) 
- [MediaTek April 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/April-2022) 
- [NCC Group: There’s A Hole In Your SoC: Glitching The MediaTek BootROM](https://www.nccgroup.com/research/there-s-a-hole-in-your-soc-glitching-the-mediatek-bootrom/) 
- [Quarkslab: Attacking the Samsung Galaxy A Boot Chain](https://blog.quarkslab.com/attacking-the-samsung-galaxy-a-boot-chain.html) 
- [Meta Red Team: Flawed Size Check in MediaTek Preloader](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-v45w-cq6c-vcx8)