It's Bugs All the Way Down

Security Research by Dan Rosenberg

Xoom FE: Stupid Bugs, and More Plagiarism

Someone mentioned to me that yesterday’s root for the Motorola XYBoard appeared to not work on the Xoom Family Edition (FE), so I took a look. What I found was a set of vulnerabilities so egregious that it’s hard to not draw comparisons to a deliberate backdoor.

Plagiarism for Profit

After doing some research on what’s been done on this device in the past, I found that it has apparently been rooted before, prior to the most recent OTA update. Someone by the name of “Evil_DevNull” published a root exploit here, that appeared to take advantage of a command injection vulnerability in a utility called “cmdclient”. He then proceeded to repeatedly request and receive monetary donations. This would all be fine (donating to developers is a good way to support their otherwise unpaid work), except Evil_DevNull seems to have ripped off the exploit used here to root the Acer Iconia A100, which is just a variation on an exploit published as “iconiaroot” here, authored by “sc2k”. Congratulations, Evil_DevNull, you’ve managed to profit by ripping off someone else’s exploit without credit!

Stupidest Root Ever?

Anyway, back to the fun stuff. After confirming that cmdclient is installed setuid root, I pulled up IDA and took a look at what it does. What I saw was so broken it was hard to believe.

The first few arguments cmdclient supports are “ec_recovery”, “ec_btmac”, “ec_snid”, “ec_skunumber”, and “ec_imeiwithbarcode”. Each of these commands builds a command string using the second argument (such as “echo [arg] > /sys//EcControl/RecoveryMode”) and executes it using system(). These are all trivial command injection vulnerabilities: something like “cmdclient ec_skunumber ‘; [my cmd];'” works fine to execute arbitrary commands as root. Ok, device rooted, that was easy.

But one of the other cmdclient options was so ridiculous that it’s hard to believe it isn’t a deliberate backdoor. “cmdclient sys_open” will perform a “chmod 777 /data” and “chmod 777 /cache”, among a few other things, which obviously cripples the security of the device and allows gaining root yet again. They might as well rename the application “own_my_device_now”.

Download

If you’re a Xoom FE owner, you can download a Windows root script here or a Linux/OSX version here. Install the appropriate Motorola drivers, connect your device via USB, extract the appropriate zip, and execute “run.bat” (on Windows) or “run.sh” from a terminal (on Linux/OSX). Enjoy.

This entry was posted on Saturday, February 18th, 2012 at 5:20 pm and is filed under Android, Exploitation. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.