5,595,918 Members 30,766 Now Online
XDA Developers Android and Mobile Development Forum

[ROOT][SECURITY] Root exploit on Exynos

Tip us?
 
espenfjo
Old
#31  
espenfjo's Avatar
Recognized Developer
Thanks Meter 2258
Posts: 391
Join Date: Jul 2008
Location: Oslo

 
DONATE TO ME
Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.
Android and CyanogenMod fan
Using Mako with CM10.1
Using N8000 with CM10.1
Using GT-I9100 with CM10.1
Using N8000 with CM10.1
Not using Maguro

Gplus: http://gplus.to/espenfjo
Twitter: http://twitter.com/espenfjo
IRC: Espenfjo @ Freenode

CyanogenMod device maintainer
The Following 6 Users Say Thank You to espenfjo For This Useful Post: [ Click to Expand ]
 
AndreiLux
Old
(Last edited by AndreiLux; 9th January 2013 at 07:18 AM.)
#32  
AndreiLux's Avatar
Senior Member
Thanks Meter 13331
Posts: 2,647
Join Date: Jul 2011

 
DONATE TO ME
Quote:
Originally Posted by espenfjo View Post
Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.
That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.
The Following 5 Users Say Thank You to AndreiLux For This Useful Post: [ Click to Expand ]
 
alephzain
Old
#33  
alephzain's Avatar
Senior Member - OP
Thanks Meter 1708
Posts: 108
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by AndreiLux View Post
That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.
Thanks Andrei for the diff patch.
Samsung took finally a paranoid approach by adding check multiple with cma_is_registered_region.
Some possible attack vectors via devices have been patched :
  • s3c-mem (possible exploitation with ioctl and only accessible to root on stock rom)
  • fimg2d (not investigate)
  • s5p-smem (no need to explain )

Just want to highlight the paranoid approach of Samsung which add check protections in kernel to avoid misuses of permissions on this devices on alternative roms.
The Following 6 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
 
alephzain
Old
#34  
alephzain's Avatar
Senior Member - OP
Thanks Meter 1708
Posts: 108
Join Date: Sep 2010

 
DONATE TO ME
Related to the work here and other stuff you will find a one-click root application here : http://forum.xda-developers.com/show....php?t=2130276.

Its a root framework including current exploit + an exploit for omap devices and soon other exploits.
The Following 3 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
 
Phylu
Old
#35  
Junior Member
Thanks Meter 1
Posts: 5
Join Date: Oct 2008
Location: Munich
Question License of Exynose-abuse

Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu
 
alephzain
Old
#36  
alephzain's Avatar
Senior Member - OP
Thanks Meter 1708
Posts: 108
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by Phylu View Post
Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu
Yes of course, you can consider code under GPL license
The Following 2 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes