It's Bugs All the Way Down

Security Research by Dan Rosenberg

Rooting the Samsung Admire

On request of the Samsung Admire community, I decided to root another Android phone.

Update: this exploit is also confirmed to work on the Samsung Galaxy Prevail.

The bug I ended up using is humorously similar to the one I used on the Droid 3. I found that whenever an application crashes (via segmentation fault, etc.) a dump file is created at /data/log/dumpState_app_native.log by root, with world-writable permissions. This file’s parent directory is world-writable, so by placing a symbolic link at this location and causing a program to crash, it’s possible to create a world-writable file anywhere on disk.

The Samsung Admire conveniently doesn’t have an existing /data/local.prop, the properties file I leveraged with Droid 3 to get root, allowing us to create our own. The Motorola-specific property I used to prevent ADB from dropping privileges on Droid 3 obviously won’t work here, but the ro.kernel.qemu property will accomplish the same thing.

You can download a one-click root script for Linux and OS X here. Feel free to e-mail me if you find this exploit works on other Samsung phones, and I’ll update this post.

Update: thanks to k0nane, a Windows version is available here.

This entry was posted on Monday, September 12th, 2011 at 8:15 pm and is filed under Exploitation, Linux. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.