5,600,292 Members 36,066 Now Online
XDA Developers Android and Mobile Development Forum

Big news involving kernel modules (info inside)

Tip us?
 
ryanbg
Old
(Last edited by ryanbg; 21st December 2013 at 06:15 PM.)
#11  
Senior Member - OP
Thanks Meter 406
Posts: 276
Join Date: Jan 2008
Location: Minnesota
Quote:
Originally Posted by Brandonrz View Post
Absolutely nothing, the only thing you can do is enter kernel modules and still be able to flash; wich leaves a possibility for a kexec module could be inserted. Our kernel disables kernel modules, so no possibly for a kexec module to be inserted. And even if there was something the get/put exploit could do for us, chances are It was patched most likely on mje, or mj7. He said he'll see what he can do with this, he was talking about the s4. Even ask @Hashcode himself.

Sent from my SM-N900V using Tapatalk
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.

"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."

From CVE-2013-6282

Verizon MJE Note 3 kernel was compiled on November 11th.

This is the exploit that jeboo is using. Here

Quote:
I tested inserting a modified stock module and one I compiled. Btw, if you wanna use the modules from the kernel source tree, be sure to add
by jeboo from his exploit thread.

It's also important to note that if this does have any success on our device, it would be advisable to not update.
The Following User Says Thank You to ryanbg For This Useful Post: [ Click to Expand ]
 
kwkw480
Old
#12  
Senior Member
Thanks Meter 52
Posts: 220
Join Date: Sep 2009
Quote:
Originally Posted by ryanbg View Post
You can modify stock kernel modules without triggering signature verification, which makes inserting a new module redundant, at least for our purpose. MJE and prior kernels are most likely not patched as it was compiled on Nov. 11. The S4 and Note 3 are almost identical, so this is likely reproducible. I am sending an MJE boot.img to jeboo to take a look at. You should take a look at his code on github. He also tested this successfully on MJ7 for S4.

"The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013."

From CVE-2013-6282

Verizon MJE Note 3 kernel was compiled on November 11th.

This is the exploit that jeboo is using. Here

by jeboo from his exploit thread.

It's also important to note that if this does have any success on our device, it would be advisable to not update.
This is indeed great news. A lot of amazing devs out there! Unfortunately for me i sold my note 3 and the dev edition is back ordered :/
 
lkspencer
Old
#13  
Junior Member
Thanks Meter 3
Posts: 9
Join Date: Jun 2009
Location: San Tan Valley
If I fire up a terminal the modprobe and insmod commands are both there. @Brandonrz was saying that our kernel disables kernel modules, but why then are those commands available?

I am still on MI9 and I took an MI9 boot.img, extracted its contents and loaded the zImage file into IDA but I am in unfamiliar territory here. I searched for strings with "auth" in them and didn't see anything with lkmauth. Maybe that's because loadable kernel modules are, as @Brandonrz was saying, disabled. Obviously someone with more experience and knowledge of IDA would be beneficial here.

I'm at work now, but I plan on writing a simple kernel module to try and load it using modprobe to see what kind of output I get.

I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.
The Following 2 Users Say Thank You to lkspencer For This Useful Post: [ Click to Expand ]
 
csstamatin
Old
#14  
Member
Thanks Meter 9
Posts: 91
Join Date: Aug 2011
I know this isn't much, but thought I would at least contribute. Please don't get any false hope from this post, not much here.[/QUOTE]

Iregardless, lol, thanks for keeping up with the fight!

Sent from my SM-N900V using Tapatalk
 
lkspencer
Old
(Last edited by lkspencer; 31st December 2013 at 05:08 AM.)
#15  
Junior Member
Thanks Meter 3
Posts: 9
Join Date: Jun 2009
Location: San Tan Valley
OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.

I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.
The Following User Says Thank You to lkspencer For This Useful Post: [ Click to Expand ]
 
Brandonrz
Old
#16  
Brandonrz's Avatar
Senior Member
Thanks Meter 411
Posts: 767
Join Date: Apr 2011
Location: Reno

 
DONATE TO ME
Quote:
Originally Posted by lkspencer View Post
OK, to follow up to my previous post...I built a simple module and tried to load it using insmod which fired off an error about Function not implemented. So modules are definitely disabled for our kernel (turns out there's a much easier way to tell this, ::facepalm:: ). I guess insmod and modprobe are included despite the kernel config being set to not support modules. Sorry, I know this is repeat info for more experienced devs.

I'm going to leave this one alone, but I'm interested to learn more about the process as jeboo and other devs work on the GS4 solution.
I didn't want to say anything but... Sorry, I want it as much as anyone else.

Sent from my SM-N900V using Tapatalk

No huge sig swag.
Creator of NEON ROM~
I like android.
NOTE 3 TEAM.
 
Surge1223
Old
#17  
Surge1223's Avatar
Recognized Contributor
Thanks Meter 2155
Posts: 1,334
Join Date: Nov 2012
Location: Iowa

 
DONATE TO ME
MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..

Sent from my SCH-I545 using XDA Premium 4 mobile app
 
lkspencer
Old
#18  
Junior Member
Thanks Meter 3
Posts: 9
Join Date: Jun 2009
Location: San Tan Valley
Quote:
Originally Posted by Brandonrz View Post
I didn't want to say anything but... Sorry, I want it as much as anyone else.

Sent from my SM-N900V using Tapatalk
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.

---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------

Quote:
Originally Posted by Surge1223 View Post
MJE kernel patched the exploit for you guys, sorry and im not just saying that, I know this from personally looking at the kernel source and the patch for the exploit. I tried forever to get you guys saferoot. The interesting thing is that kingo still gets root for you guys with an as of yet undiscovered exploit..

Sent from my SCH-I545 using XDA Premium 4 mobile app
So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.
 
Surge1223
Old
#19  
Surge1223's Avatar
Recognized Contributor
Thanks Meter 2155
Posts: 1,334
Join Date: Nov 2012
Location: Iowa

 
DONATE TO ME
Quote:
Originally Posted by lkspencer View Post
That's ok, it was a good learning experience for me. I've got quite a bit to learn for this stuff. I'm a developer by trade, but this is a different ball field for me.

---------- Post added at 08:59 AM ---------- Previous post was at 08:48 AM ----------



So since I am still on MI9 I can still use this exploit right? Is it possible to use it to make some kind of rootkit? I don't know to what end, just asking to learn.
Honestly I dont know if it was MJE. It was whatever was the latest Samsung open source kernel they released at the time. We tested on the dev MJ3 kernel as well and that didnt work. But you have to edit the source with your kernels info. Id say if your output from cat /proc/version is early Oct or before then maybe.

The Following User Says Thank You to Surge1223 For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes