SlideShare une entreprise Scribd logo

How to Root 10 Million Phones with One Exploit

Jiahong Fang
Jiahong Fang

How to Root 10 Million Phones with One Exploit

Logiciels
1  sur  34
Télécharger pour lire hors ligne
How to Root 107 Phones with One Exploit James Fang
About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
Android Root (History) Root shell / app_uid
Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
How to Cook Root
Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
Challenges
Challenges
Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
DKOM
DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
-wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
-wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
-wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
-wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
-wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
-wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu
Thank you

Recommandé

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 

Recommandé

Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
Universal Userland
Universal UserlandUniversal Userland
Universal UserlandSean Chittenden
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookAnne Nicolas
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending DockerMohammad Fairus Khalid
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager穎睿 梁
 

Contenu connexe

Tendances

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookAnne Nicolas
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisPaul V. Novarese
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 

Tendances (20)

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshop
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
Universal Userland
Universal UserlandUniversal Userland
Universal Userland
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Kernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at FacebookKernel Recipes 2019 - BPF at Facebook
Kernel Recipes 2019 - BPF at Facebook
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
moscmy2016: Extending Docker
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_Analysis
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Linux Crash Dump Capture and Analysis
Linux Crash Dump Capture and AnalysisLinux Crash Dump Capture and Analysis
Linux Crash Dump Capture and Analysis
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 

En vedette

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesJérôme KUNEGIS
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager穎睿 梁
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteJeremy Haung
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識kumaryu
 
インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版Yusei Yamanaka
 

En vedette (6)

Generating Networks with Arbitrary Properties
Generating Networks with Arbitrary PropertiesGenerating Networks with Arbitrary Properties
Generating Networks with Arbitrary Properties
 
i3 tiling window manager
i3 tiling window manageri3 tiling window manager
i3 tiling window manager
 
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory OverwriteLibra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
Libra : A Compatible Method for Defending Against Arbitrary Memory Overwrite
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
ライブストリーミングの基礎知識
ライブストリーミングの基礎知識ライブストリーミングの基礎知識
ライブストリーミングの基礎知識
 
インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版インターネット生放送を支える技術としくみ2015年版
インターネット生放送を支える技術としくみ2015年版
 

Similaire à How to Root 10 Million Phones with One Exploit

Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf ToolsRaj Pandey
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems PerformanceBrendan Gregg
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterAndrey Kudryavtsev
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"Daniel Bryant
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupRafal Kwasny
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceBrendan Gregg
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 

Similaire à How to Root 10 Million Phones with One Exploit (20)

Linux Perf Tools
Linux Perf ToolsLinux Perf Tools
Linux Perf Tools
 
Open Source Systems Performance
Open Source Systems PerformanceOpen Source Systems Performance
Open Source Systems Performance
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation CenterDUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
DUG'20: 12 - DAOS in Lenovo’s HPC Innovation Center
 
Docker
DockerDocker
Docker
 
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
J1 2015 "Debugging Java Apps in Containers: No Heavy Welding Gear Required"
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
ETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetupETL with SPARK - First Spark London meetup
ETL with SPARK - First Spark London meetup
 
Hotsos Advanced Linux Tools
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
YOW2020 Linux Systems Performance
YOW2020 Linux Systems PerformanceYOW2020 Linux Systems Performance
YOW2020 Linux Systems Performance
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 

Dernier

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 

Dernier (20)

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 

How to Root 10 Million Phones with One Exploit

  • 1. How to Root 107 Phones with One Exploit James Fang
  • 2. About Me • Root guy of Keen Team – With support from the whole team • Responsible for many PHA (root) application – Pingpong Root – Mate 7 Root – KingRoot and SDK (with KR team)
  • 3. Why Root? • Fun – Xposed, Greenify, etc – New ideas from community (XDA, Gfan) – Full control over your device • Secured – Root manger – Additional exploit mitigation
  • 4. Android Root (History) • 2008: T-Mobile G1 hidden root console – Run terminal emulator app – Launches telnetd as root • Feature vs. bug Trying 192.168.0.88... Connected to 192.168.0.88. Escape character is '^]'. # id uid=0(root) gid=0(root) # cd proc # cat version Linux version 2.6.25-01843-gfea26b0 (android-build@apa27.mtv.corp.google.com) (gcc version 4.2.1) #6 PREEMPT Mon Oct 6 14:13:36 PDT 2008
  • 6. Android Root (History) • OTA – Volez by Zinx – Improper parsing of signed update zip file – Master Key vulnerability “family” • Cydia impactor • system->root
  • 7. Android Root (History) • Daemon – setuid failure – Shared memroy – Memory corruption • GingerBreak • zergRush – File perms & symlinks  • Many were there in init.rc
  • 8. Android Root (History) • Kernel – Wunderbar/asroot – FramaRoot by alphzain • /dev/exynosmem • /dev/exynosmem (again :D) – CVE-2013-6282 – towelroot – …
  • 9. How to Cook Root
  • 10. Compounds • Vulnerability & Exploit – Attack surface – In kernel/privileged process • Mitigation Bypass – SELinux – Root mitigation (Samsung) – (NAND)? write protection ( to reach kernel)
  • 13. Challenges • Manufacturers and models – Kernel behaviors (syscall?) – Root mitigation • Same model, different ROM – Kernel symbol locations – Structures, offsets • Device database? – Not the best solution
  • 14. A Case Study (Early 2014) • CVE-2013-6282 – put_user/get_user – Lack of boundary check • Read & write – ptrace->put_user->write anywhere – setsockopt->get_user->read anywhere • Targeting all ARMv6+ (by getsockopt)
  • 15. A Case Study (Early 2014) • “Perfect vulnerability” • Thinking of these problems: – Achieve root with read & write – Achieve root with write only – Without device database – SELinux (Nexus and Samsung) • “Write-only” bugs are quite common
  • 16. DKOM • Direct Kernel Object Manipulation • Straight forward when we have R/W • Our goal – Get root uid/gid – Get full capabilities – Get u:r:init:s0 – Patch SELinux policy – Patch/bypass root mitigations • Where are the “objects”?
  • 17. DKOM • Task information – struct thread_info => on kernel stack – struct task_struct => in heap – thread_info.task -> task_struct • Leak SP (towelroot) • Search and manipulate – Useful when code execution is inconvenient
  • 18. DKOM
  • 19. DKOM • init_task leads to the doubly-linked list • Usually a symbol in kallsyms – We don’t have root yet • Any pattern? • In /arch/arm/kernel/init_task.c – struct task_struct init_task = INIT_TASK(init_task); (take ARM32 as an example)
  • 20. DKOM • Always starts with this pattern: – .state => unknown – .stack => 2-page (8K) aligned address – .usage => 0x2 – .flags => 0x200000 • Search range? – /proc/iomem
  • 21. DKOM • Next: offset of tasks • Structure definition: • For all modern multi-core phones, CONFIG_SMP is always ‘y’ struct task_struct { volatile long state; void *stack; ... struct list_head tasks; #ifdef CONFIG_SMP struct plist_node pushable_tasks; #endif
  • 22. DKOM • Check init_task.h, list.h and plist.h in /include/linux • tasks + pushable_tasks looks like: – Two kernel pointers – 0x0000008c – Two kernel pointers • Good anchor once we located init_task
  • 23. DKOM • How to identify my process? – Random string => char comm[TASK_COMM_LEN] – Anchor to identify task – It will also find task->cred for you  const struct cred __rcu *cred; struct cred *replacement_session_keyring; char comm[TASK_COMM_LEN];
  • 24. DKOM • So now we have: – init_task – Traverse task list for any task – Identify task by comm – Offset of task->cred • struct cred is simple and easy? – For uid/gid – How about u:r:init:s0?
  • 25. DKOM • sid <=> SELinux context • 1 <=> u:r:kernel:s0 • ?? <=> u:r:init:s0 • Two approaches – untrusted/shell => kernel => init • Policy may block it – Set sid directly • Look for “init” task 
  • 26. -wx-wx-wx • But what if only write anywhere is possible? • Real example: – Broadcom /dev/uio1 – ioctl: Write a string to given address – How to exploit? • Overwrite syscall table and run shell code?
  • 27. -wx-wx-wx • Interesting entry in process map: • What’s inside? shell@test:/ $ cat /proc/self/maps 40000000-40020000 r--s 00000000 00:0b 4103 /dev/__properties__ 40031000-40033000 rw-p 00000000 00:00 0 4006d000-40092000 r-xp 00000000 b3:1c 353 /system/bin/mksh 40092000-40093000 r--p 00000000 00:00 0 . . . 401c1000-401c4000 rw-p 0004a000 b3:1c 1704 /system/lib/libc.so 401c4000-401d2000 rw-p 00000000 00:00 0 4030e000-40319000 rw-p 00000000 00:00 0 [heap] bef49000-bef6a000 rw-p 00000000 00:00 0 [stack] ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]
  • 28. -wx-wx-wx • In /arch/arm/kernel/entry-armv.S • At 0xffff0008, location of vector_swi is leaked by an LDR instruction. • loc_vector_swi = *(0xffff0008 + 8 + ((*0xffff0008) & 0xfff))) .LCvswi: .word vector_swi ... __vectors_start: ARM( swi SYS_ERROR0 ) THUMB( svc #0 ) THUMB( nop ) W(b) vector_und + stubs_offset W(ldr) pc, .LCvswi + stubs_offset W(b) vector_pabt + stubs_offset ... W(b) vector_fiq + stubs_offset .globl __vectors_end __vectors_end:
  • 29. -wx-wx-wx • Symbol sys_call_table is always 3 symbols aways from vector_swi vector_swi __sys_trace __sys_trace_return __cr_alignment =>sys_call_table • All defined in /arch/arm/kernel/entry-common.S • loc_sys_call_table = loc_vector_swi + len(4 following stubs)
  • 30. -wx-wx-wx • Length of vector_swi depends on: – CONFIG_OABI_COMPAT - Allow old ABI binaries to run with this kernel (EXPERIMENTAL) – CONFIG_SECCOMP - Enable seccomp to safely compute untrusted bytecode • In most cases both are set as N. • If set: – CONFIG_SECCOMP => 6 instructions, 24 bytes – CONFIG_OABI_COMPAT => More complex, 28 bytes
  • 31. -wx-wx-wx • CONFIG_SECCOMP: PRCTL(PR_GET_SECCOMP, …) • CONFIG_OABI_COMPAT: sys_oabi_semop • Algorithm is simple – Set BASE_OFFSET – If (CONFIG_SECCOMP) BASE_OFFSET += 24 – If (CONFIG_OABI_COMPAT) BASE_OFFSET += 28 – Align – loc_sys_call_table = loc_vector_swi + BASE_OFFSET • Patch unused syscall entry and run shell code • Assuming no PXN or RO kernel text (True for most devices before 2014)
  • 32. Conclusion • A good vulnerability • Hardcode-free exploitation • Fine tune => Decent coverage CVE-2013-6282, 42% Others, 58%
  • 33. What’s next? • Root mitigation bypass – Samsung (STRICT_SEC) – Huawei fblock – Sony RIC • CVE-2015-3636 – How to root 107 phones again? – BH 2015 Ah! Universal Android Rooting is Back Present by Wen Xu