A lot of us here at XDA-Developers originally started browsing the forums for the first time when we were looking to root our Android devices. Back in those days, people often relied on "one-click root" methods: Apps or scripts containing payloads that target known privilege escalation vulnerabilities of the existing firmware to gain root access. With improvements and changes to encryption, permissions, and privacy-related handling, modern Android devices are relatively safe from such attack vectors, but there will always remain scope for exploits and vulnerabilities.

OnePlus might have cemented its name among the major Android OEMs, but its phones are no stranger to security flaws. This time, the company has left a rather interesting (read: worrying) vulnerability unpatched on the OnePlus Nord 2 since its release. Although exploiting the loophole requires physical access to the device, the attacker can effectively gain an unrestricted root shell before the user can even enter their credentials. Notably, the newly released Pac-Man edition of the Nord 2 is affected as well.

Background

Nowadays, when we talk about having root access on an Android smartphone, people usually think about patching the stock boot image with Magisk first and then flashing the patched image to the target device after bootloader unlocking. That way, the end-user can have supervised access to the "su" binary through a manager app. A couple of other experimental approaches exist, but they seldom gather as much mainstream usage.

When it comes to pre-production, though, the scenario is entirely different. While preparing the firmware of a device, the engineers need to have various logging parameters turned on, including root access. Even on a userdebug build, the Android Debug Bridge Daemon (adbd) runs as root, so that one can have privileged shell access for debugging purposes. When the firmware is ready for shipping, all these debugging parameters must be turned off before rolling it out.

But what happens if you forget to do so? We will see, as the official OxygenOS releases for the OnePlus Nord 2 come with such a flaw.

OnePlus Nord 2 -- Root Shell Vulnerability

Some OEMs like Samsung offer update package sideloading capability in their stock recovery on retail devices. In that case, the adbd binary runs with a significantly high privilege while sideloading, but it closes down itself as soon as the update process finishes up. Other than that, there is no ADB access permitted in an OEM-provided recovery environment.

OnePlus no longer allows users to flash an update ZIP package through its stock recovery via ADB sideload. Assuming that everything else is configured as it should, a regular OnePlus device's recovery environment should be safe from attackers delivering any kind of payload using ADB. Unfortunately, not everything goes according to plan in the case of the OnePlus Nord 2.

As it turns out, anyone can spawn an Android debugging shell with root privilege inside the recovery environment of the OnePlus Nord 2. One of the critical debugging settings apparently made its way to the production builds, which leads to this glitch.

Exploiting the flaw on the OnePlus Nord 2

All you need to do is reboot the OnePlus Nord 2 to its recovery mode. An attacker can take the device and use a simple hardware button combo to force it to go to recovery mode. In fact, there is no need to reach the actual recovery menu, as the vulnerable section comes before that. Credit goes to XDA Senior Member AndroPlus for pointing out the existence of this glitch back in October 2021.

  1. While the phone is turned off, press the volume down and the power buttons simultaneously until you see the OnePlus logo with a minuscule "RECOVERY MODE" banner at the bottom left corner of the screen.
    OnePlus Nord 2 recovery mode
  2. Next, you should see the language selection screen. No need to move forward, as we can initiate ADB access right from here.
    OnePlus Nord 2 recovery language selection
  3. Now connect the phone to a PC (or Mac) using the USB cable. In case you're using Windows, you can see a new Android USB debugging interface pops up in the Device Manager. You might also need to install a suitable Android USB driver before Windows can recognize the new device. Linux and macOS users, on the other hand, can use the lsusb command to detect the presence of the new hardware interface.
    OnePlus Nord 2 recovery adb interface
  4. Considering you already have the latest version of ADB and Fastboot utilities installed on your PC/Mac, fire up a Command Prompt/PowerShell/Terminal instance and execute the following command:
            adb devices
        
    It should list the Nord 2 in recovery mode. This is also particularly interesting, as the standard ADB authorization prompt is not needed here. You may get a "device unauthorized" error, but wiping out the host PC's existing ADB RSA key database and restarting the ADB server should eventually allow you to get it authorized.
  5. Now instruct adbd to run as root:
            adb root
        
    This command might take a long time and you will probably get a timeout error. Nonetheless, now adbd should be running as root.
    OnePlus Nord 2 adbd as root
  6. Finally, verify the privilege level of the shell using the following command:
            adb shell whoami
        
    OnePlus Nord 2 adb shell whoami

The extent of the flaw

The potential abuses of this security vulnerability are frightening. With a successful attack on the OnePlus Nord 2, an attacker can dump every partition of the device. As a result, the entirety of the data partition — including files stored in the typically inaccessible private data directories of applications — is accessible to the attacker. In case the data partition came out as encrypted (because of the user set a PIN or password), the dump could still be useful for forensic analysis.

Not only that, you can push an executable to /data/local/tmp and run it from there. This is a classic attack vector, which can be useful for chainloading another exploit. Moreover, since you can now call the setprop utility as root to modify various prop values, you can technically hijack some of the privileged OEM-specific variables. Last but not least, even if you don't have developer options unlocked, the phone will automatically prompt for USB debugging access after you invoke ADB in recovery and reboot to the regular Android environment, which means the vulnerability's scope is not limited to just the recovery section only.

Note that you can't install APK files using ADB in the recovery environment due to the fact that the Package Manager utility isn't accessible there.

How to check if your OnePlus Nord 2 is affected? (Hint: It is)

As mentioned earlier, you can exploit this vulnerability on both the regular and the special Pac-Man edition of the OnePlus Nord 2. In a nutshell, if you enter a root shell (you’ll know when the shell symbol changes from $ to #), then you’ll know the flaw is present.

We have successfully gained root shell access on the latest public Indian and the European OxygenOS firmware for the device, which means every single OnePlus Nord 2 unit out there is vulnerable at the time of writing this article.


What's next?

We will be following up on this matter as more information becomes available. OnePlus provided the following statement on the issue:

We treat privacy and security very seriously. We are prioritizing this matter and we will share an update as soon as we have more information.

While all of this seems scary, keep in mind that an attacker will still need to physically access the phone in order to gain root shell access. Until OnePlus rolls out an update that patches the vulnerability, try to keep your OnePlus Nord 2 away from strangers. While we have not come across any instances of malicious use, one cannot discount such possibility as the vulnerability has been in the wild for at least 2 months now.