Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,784,443 Members 49,034 Now Online
XDA Developers Android and Mobile Development Forum

[ROOT][SECURITY] Root exploit on Exynos

Tip us?
 
espenfjo
Old
#31  
espenfjo's Avatar
Recognized Developer
Thanks Meter 2,258
Posts: 391
Join Date: Jul 2008
Location: Oslo

 
DONATE TO ME
Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.
Android and CyanogenMod fan
Using Mako with CM10.1
Using N8000 with CM10.1
Using GT-I9100 with CM10.1
Using N8000 with CM10.1
Not using Maguro

Gplus: http://gplus.to/espenfjo
Twitter: http://twitter.com/espenfjo
IRC: Espenfjo @ Freenode

CyanogenMod device maintainer
The Following 6 Users Say Thank You to espenfjo For This Useful Post: [ Click to Expand ]
 
AndreiLux
Old
(Last edited by AndreiLux; 9th January 2013 at 07:18 AM.)
#32  
AndreiLux's Avatar
Senior Member
Thanks Meter 13,623
Posts: 2,759
Join Date: Jul 2011

 
DONATE TO ME
Quote:
Originally Posted by espenfjo View Post
Samsung has released the kernel sources with their approach, i9300 update 7.

It is basically this:
http://review.cyanogenmod.org/#/c/29910/


Their approach is very similar to AndreiLuxs, but they have also patched the other attack vectors such as s3c-mem, fimg/fimc.

Verified that the original exynos-abuse indeed does not work with this approach.
That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.
The Following 5 Users Say Thank You to AndreiLux For This Useful Post: [ Click to Expand ]
 
alephzain
Old
#33  
alephzain's Avatar
Senior Member - OP
Thanks Meter 2,071
Posts: 117
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by AndreiLux View Post
That commit contains way too much, some are CMA stuff unrelated to the security fix.

I extracted the fixes properly and they're in my repo, check it out. And yes the secmem patch is also needed (s5p-smem, also fixed that back in December but we kept it undisclosed, although my commit was public). https://github.com/AndreiLux/Perseus-S3

I'm having some inconsistency on their fimc checks though with video decoding on higher resolutions causing size accesses to exceed the cma limits on the MFC block on some frames. I #if 0'ed that part until I find out what causes it. So watch out with that.
Thanks Andrei for the diff patch.
Samsung took finally a paranoid approach by adding check multiple with cma_is_registered_region.
Some possible attack vectors via devices have been patched :
  • s3c-mem (possible exploitation with ioctl and only accessible to root on stock rom)
  • fimg2d (not investigate)
  • s5p-smem (no need to explain )

Just want to highlight the paranoid approach of Samsung which add check protections in kernel to avoid misuses of permissions on this devices on alternative roms.
The Following 6 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
 
alephzain
Old
#34  
alephzain's Avatar
Senior Member - OP
Thanks Meter 2,071
Posts: 117
Join Date: Sep 2010

 
DONATE TO ME
Related to the work here and other stuff you will find a one-click root application here : http://forum.xda-developers.com/show....php?t=2130276.

Its a root framework including current exploit + an exploit for omap devices and soon other exploits.
The Following 3 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
 
Phylu
Old
#35  
Junior Member
Thanks Meter 1
Posts: 6
Join Date: Oct 2008
Location: Munich
Question License of Exynose-abuse

Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu
 
alephzain
Old
#36  
alephzain's Avatar
Senior Member - OP
Thanks Meter 2,071
Posts: 117
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by Phylu View Post
Thanks a lot for the good work with this exploit.

I am currently doing my bachelor thesis about Android Security and would like to use your exploit within some code I am writing. Unfortunately, I could not find a license within the source code.

If I may use your code that would be great. May I do so?

Best regards
Phylu
Yes of course, you can consider code under GPL license
The Following 2 Users Say Thank You to alephzain For This Useful Post: [ Click to Expand ]
 
hartlezzevolved
Old
#37  
hartlezzevolved's Avatar
Member
Thanks Meter 0
Posts: 32
Join Date: Nov 2013
Location: Bacoor City
Quote:
Originally Posted by Chainfire View Post
Very interesting. Thanks for bringing that up. (Have also flagged some Samsung engineers to read this)

Also, I'm building an APK for this to make it easy.

EDIT: APK posted here: http://forum.xda-developers.com/show....php?t=2050297, download, install, run, and your device is rooted with SuperSU.

EDIT#2: This app now also lets you disable the exploit
Hi Chainfire..

Will this app work on other device ? Or only Samsung Firmwares? Thanks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes