Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[ROOT][SECURITY] Root exploit on Exynos

OP alephzain

8th January 2013, 10:21 PM   |  #31  
espenfjo's Avatar
Recognized Developer
Flag Oslo
Thanks Meter: 2,259
 
392 posts
Join Date:Joined: Jul 2008
Donate to Me
More
Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.
The Following 6 Users Say Thank You to espenfjo For This Useful Post: [ View ]
9th January 2013, 08:10 AM   |  #32  
AndreiLux's Avatar
Senior Member
Thanks Meter: 14,094
 
2,952 posts
Join Date:Joined: Jul 2011
Donate to Me
Quote:
Originally Posted by espenfjo

Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.

That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.
Last edited by AndreiLux; 9th January 2013 at 08:18 AM.
The Following 5 Users Say Thank You to AndreiLux For This Useful Post: [ View ]
9th January 2013, 10:06 AM   |  #33  
alephzain's Avatar
OP Senior Member
Thanks Meter: 2,239
 
117 posts
Join Date:Joined: Sep 2010
Donate to Me
Quote:
Originally Posted by AndreiLux

That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.

Thanks Andrei for the diff patch.
Samsung took finally a paranoid approach by adding check multiple with cma_is_registered_region.
Some possible attack vectors via devices have been patched :
  • s3c-mem (possible exploitation with ioctl and only accessible to root on stock rom)
  • fimg2d (not investigate)
  • s5p-smem (no need to explain )

Just want to highlight the paranoid approach of Samsung which add check protections in kernel to avoid misuses of permissions on this devices on alternative roms.
The Following 6 Users Say Thank You to alephzain For This Useful Post: [ View ]
8th February 2013, 07:50 PM   |  #34  
alephzain's Avatar
OP Senior Member
Thanks Meter: 2,239
 
117 posts
Join Date:Joined: Sep 2010
Donate to Me
Related to the work here and other stuff you will find a one-click root application here : http://forum.xda-developers.com/show....php?t=2130276.

Its a root framework including current exploit + an exploit for omap devices and soon other exploits.
The Following 3 Users Say Thank You to alephzain For This Useful Post: [ View ]
13th June 2013, 12:17 PM   |  #35  
Junior Member
Flag Munich
Thanks Meter: 1
 
6 posts
Join Date:Joined: Oct 2008
More
Question License of Exynose-abuse
Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu
13th June 2013, 01:59 PM   |  #36  
alephzain's Avatar
OP Senior Member
Thanks Meter: 2,239
 
117 posts
Join Date:Joined: Sep 2010
Donate to Me
Quote:
Originally Posted by Phylu

Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu

Yes of course, you can consider code under GPL license
The Following 2 Users Say Thank You to alephzain For This Useful Post: [ View ]
30th April 2014, 12:51 PM   |  #37  
hartlezzevolved's Avatar
Member
Flag Bacoor City
Thanks Meter: 1
 
47 posts
Join Date:Joined: Nov 2013
More
Quote:
Originally Posted by Chainfire

Very interesting. Thanks for bringing that up. (Have also flagged some Samsung engineers to read this)

Also, I'm building an APK for this to make it easy.

EDIT: APK posted here: http://forum.xda-developers.com/show....php?t=2050297, download, install, run, and your device is rooted with SuperSU.

EDIT#2: This app now also lets you disable the exploit

Hi Chainfire..

Will this app work on other device ? Or only Samsung Firmwares? Thanks

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes