SlideShare une entreprise Scribd logo

How to Root 10 Million Phones with One Exploit

Jiahong Fang
Jiahong Fang

How to Root 10 Million Phones with One Exploit

Logiciels
1  sur  34
Télécharger pour lire hors ligne
How to Root 107 Phones with One Exploit James Fang
About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
Android Root (History) Root shell / app_uid
Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
How to Cook Root
Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
Challenges
Challenges
Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
DKOM
DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
-wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
-wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
-wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
-wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
-wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
-wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu
Thank you

Recommandé

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 

Recommandé

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
Peter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
Lubomir Rintel
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
Positive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
Universal Userland
Universal UserlandUniversal Userland
Universal Userland
Sean Chittenden
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
Anne Nicolas
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
inaz2
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
Paul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
Marian Marinov
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
Jérôme KUNEGIS
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager
穎睿 梁
 

Contenu connexe

Tendances

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Anne Nicolas
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
Buland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Anne Nicolas
 

Tendances (20)

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Universal Userland
Universal UserlandUniversal Userland
Universal Userland
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 

En vedette

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
Jérôme KUNEGIS
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Jeremy Haung
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
Moe Tanabian
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識
kumaryu
 

En vedette (6)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識
 
インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版
 

Similaire à How to Root 10 Million Phones with One Exploit

Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
Logicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
Yury Chemerkin
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
Daniel Bryant
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
QUONTRASOLUTIONS
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
Brendan Gregg
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
Brendan Gregg
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 

Similaire à How to Root 10 Million Phones with One Exploit (20)

Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf Tools
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
 
Docker
DockerDocker
Docker
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Hotsos Advanced Linux Tools
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 

Dernier

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 

Dernier (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 

How to Root 10 Million Phones with One Exploit

  • 1. How to Root 107 Phones with One Exploit James Fang
  • 2. About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
  • 3. Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
  • 4. Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
  • 6. Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
  • 7. Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
  • 8. Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
  • 9. How to Cook Root
  • 10. Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
  • 13. Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
  • 14. A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
  • 15. A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
  • 16. DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
  • 17. DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
  • 18. DKOM
  • 19. DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
  • 20. DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
  • 21. DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
  • 22. DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
  • 23. DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
  • 24. DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
  • 25. DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
  • 26. -wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
  • 27. -wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
  • 28. -wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
  • 29. -wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
  • 30. -wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
  • 31. -wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
  • 32. Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
  • 33. What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu