Share
## https://sploitus.com/exploit?id=2C31F084-3E15-5EF8-A10B-FE0CC3AFFC15
# Analysis of Preloader Vulnerabilities in MediaTek MT8365 (MT8168)
## Targets
- SoC: MediaTek MT8365 (MT8168 series)
- Component: Preloader (first-stage bootloader)
- Source path: `MT8365_Q0_Ayla_bsp/vendor/mediatek/proprietary/bootable/bootloader/preloader/`
## List of Analyzed Vulnerabilities
| CVE | Type | CWE | Attack Vector | Patch ID |
|-----|--------|-----|--------------|----------|
| [CVE-2022-26468](./CVE-2022-26468/exploit_analysis.md) | USB OOB Write | CWE-787 | USB physical connection | ALPS07168125 |
| [CVE-2022-20060](./CVE-2022-20060/exploit_analysis.md) | Authentication bypass | CWE-1196 | USB physical connection | N/A |
| [CVE-2022-20059](./CVE-2022-20059/exploit_analysis.md) | USB OOB Write | CWE-787 | USB physical connection | ALPS07025588 |
| [CVE-2022-20074](./CVE-2022-20074/exploit_analysis.md) | Partition OOB R/W | CWE-125/787 | Storage corruption | ALPS06183301 |
## Key Vulnerabilities Identified by Static Analysis
### USB Download-Related Vulnerabilities (CVE-2022-26468, CVE-2022-20059, CVE-2022-20060)
```
handshake_usb.c:usb_listen() β usbdl_handler()
βββ download.c:usbdl_write16/32() β sec_region_check() (Bypassed)
βββ download.c:usbdl_read16/32() β sec_region_check() (Bypassed)
βββ download.c:usbdl_send_da() β usbdl_verify_da() (Authentication bypass)
β β usbdl_get_data() (OOB Write)
βββ download.c:usbdl_jump_da() β bldr_jump() (Allowing arbitrary code execution)
```
### Partition Analysis-Related Vulnerabilities (CVE-2022-20074)
```
partition.c:part_load()
βββ blkdev_read(header) β get_part_info() (No validation for maddr/dsize)
βββ load_addr_check() (Limited check, bypassable)
βββ blkdev_read(payload) (OOB Read/Write)
```
```
part_common.c:part_init()
βββ read_gpt() (Corrupted GPT data without validation)
```
```
sec.c:sec_lib_init()
βββ sec_cfg_load() (OOB Read possible)
βββ sec_cfg_save() (OOB Write possible)
```
### Security Policy-Related Vulnerabilities (CVE-2022-20060)
```
sec_policy.c:
βββ get_vfy_policy() β get_sec_policy() β get_sec_state()
β (Default fallback when state retrieval fails)
βββ get_dl_policy() (Reference for download)
βββ get_policy_entry_idx() (Name-based strcmp, length inconsistency)
## Key Structures and Variables
| Symbol | File | Description |
|---------|-------|----------|
| g_ROM_INFO | sec_rom_info.c:93 | Static data structure for security configuration |
| g_dram_buf | dram_buffer.h (external) | DRAM buffer structure (including partition information) |
| g_policy_map[] | sec_policy.c:9 | Security policy map per partition |
| g_da_verified | download.c:79 | DA authentication flag (operable) |
| g_meta_com_type | (external) | META/USB communication type settings |
## Possibilities of Attack Paths
```
Physical access β USB bootloader mode
βββ CVE-2022-20059: Memory R/W privilege gain
β βββ Security flag rewriting
β βββ Lock state falsification
β βββ eMMC area targeting β Storage corruption
β βββ CVE-2022-20074: Permanent bootkit establishment
βββ CVE-2022-20060: DA authentication bypass
βββ Unsigned DA execution β Arbitrary code execution
βββ eMMC corruption β CVE-2022-20074 and chain of events
## References
- [MediaTek September 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/September-2022)
- [MediaTek March 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/March-2022)
- [MediaTek April 2022 Security Bulletin](https://corp.mediatek.com/product-security-bulletin/April-2022)
- [NCC Group: Thereβs A Hole In Your SoC: Glitching The MediaTek BootROM](https://www.nccgroup.com/research/there-s-a-hole-in-your-soc-glitching-the-mediatek-bootrom/)
- [Quarkslab: Attacking the Samsung Galaxy A Boot Chain](https://blog.quarkslab.com/attacking-the-samsung-galaxy-a-boot-chain.html)
- [Meta Red Team: Flawed Size Check in MediaTek Preloader](https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-v45w-cq6c-vcx8)