Another silly file permissions bug. At least the exploitation of this one was a little bit more interesting.
The vulnerability in this case allowed me to
chmod an arbitrary file or directory 0777 (world-writable). Normally I’d go for
/data/local.prop (if it already exists) or
/data itself (if it doesn’t). However, on this particular device, setting the ro.kernel.qemu property (to cause ADB to give a root shell) caused the device to bootloop before ADBD started.
My second go-to for these types of bugs is
/proc/sys/kernel/hotplug, since writing the path of a user-controlled executable and triggering a module load or hotplug event would be a win. For some reason, changing the permissions on these files with this particular bug didn’t work – I suspect either /proc wasn’t mounted at the time of the
chmod or a later init script restored the permissions of these files. Either way, these options were out.
As yet another vector, I chose to make the block device corresponding to the /system partition world-writable. I pulled the setuid-root “run-as” application from the device, opened it up in IDA, and found a good place to patch it to cause it to fail to drop privileges, so that rather than allowing me to run with a particular application’s privileges, it would grant me a root shell. I then patched these bytes by writing directly to the block device. It’s ugly, but it works.
Download the Windows version here. To root your phone, install LG ADB drivers, put the device in USB debugging mode, connect via USB, extract the zip file, and execute “run.bat”.
This exploit is not guaranteed to be 100% effective or stable. In a worst-case scenario, you may need to reflash your build and try again.
I encourage anyone thinking of donating in thanks to direct your donation to the American Red Cross or another reputable charitable organization. If you absolutely insist on throwing money at me instead, you can donate below.
This entry was posted on Sunday, February 26th, 2012 at 9:02 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.