SlideShare a Scribd company logo

How to Root 10 Million Phones with One Exploit

Jiahong Fang
Jiahong Fang

How to Root 10 Million Phones with One Exploit

Software
1 of 34
Download to read offline
How to Root 107 Phones with One Exploit James Fang
About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
Android Root (History) Root shell / app_uid
Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
How to Cook Root
Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
Challenges
Challenges
Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
DKOM
DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
-wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
-wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
-wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
-wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
-wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
-wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu
Thank you

Recommended

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 

Recommended

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Universal Userland
Universal UserlandUniversal Userland
Universal UserlandSean Chittenden
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookAnne Nicolas
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending DockerMohammad Fairus Khalid
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager穎睿 梁
 

More Related Content

What's hot

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookAnne Nicolas
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 

What's hot (20)

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Universal Userland
Universal UserlandUniversal Userland
Universal Userland
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 

Viewers also liked

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager穎睿 梁
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識kumaryu
 
インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版Yusei Yamanaka
 

Viewers also liked (6)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識
 
インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版
 

Similar to How to Root 10 Million Phones with One Exploit

Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf ToolsRaj Pandey
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterAndrey Kudryavtsev
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"Daniel Bryant
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupRafal Kwasny
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 

Similar to How to Root 10 Million Phones with One Exploit (20)

Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf Tools
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
 
Docker
DockerDocker
Docker
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Hotsos Advanced Linux Tools
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 

Recently uploaded

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedDelhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456KiaraTiradoMicha
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 

Recently uploaded (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 

How to Root 10 Million Phones with One Exploit

  • 1. How to Root 107 Phones with One Exploit James Fang
  • 2. About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
  • 3. Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
  • 4. Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
  • 6. Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
  • 7. Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
  • 8. Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
  • 9. How to Cook Root
  • 10. Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
  • 13. Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
  • 14. A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
  • 15. A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
  • 16. DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
  • 17. DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
  • 18. DKOM
  • 19. DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
  • 20. DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
  • 21. DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
  • 22. DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
  • 23. DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
  • 24. DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
  • 25. DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
  • 26. -wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
  • 27. -wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
  • 28. -wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
  • 29. -wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
  • 30. -wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
  • 31. -wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
  • 32. Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
  • 33. What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu