Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,806,480 Members 52,813 Now Online
XDA Developers Android and Mobile Development Forum

[2012.12.18] Why Exynos exploit patches may not work as expected + demo app

Tip us?
 
Chainfire
Old
(Last edited by Chainfire; 19th December 2012 at 02:07 PM.)
#1  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,896
Posts: 9,076
Join Date: Oct 2007

 
DONATE TO ME
Default [2012.12.18] Why Exynos exploit patches may not work as expected + demo app

So I'm sure we've all heard about the ExynosAbuse exploit. If not, the original thread is here. The only proper solution is a kernel fix. This thread is only about app-based fixes.

There are various fixes available at the time of this writing, including my own. I don't mind some competition, that is not the problem. What is a problem is that some of these other app-based solutions out there have been mentioned and pushed a lot in the media (tech as well as non-tech) while they are seriously flawed (the only true solution is a kernel fix that simply removes the exploitable memory device, but that requires a non-universal device update, so we focus only on app-based fixes here that users may run immediately).

What I mean by flawed is that while they offer protection most of the time, they may leave a big gaping hole during boot that can be exploitable (as I will demonstrate) - and serious malware authors will of course include this attack vector in any serious malware - as will they include an attack vector to exploit temporary enabling of the exploit so you can use your camera (on devices where the fix breaks camera use).

Serious malware needs only a tiny hole to squeeze through once, and will attempt to leave it's own backdoor in case the hole they squeezed through is closed. Disabling the fix to use your camera only for a second with a malicious app running in the background running the exploit in a loop, and game over. I'm not even going to demo that, that flaw should be clear.

Due to unreliable fixes being mentioned by the media, a lot of people who have read online (or even print) news about this exploit may be using a fix they believe will work, but actual malware will easily bypass. Maybe some noise needs to be made about this ?

We're going to talk about three solutions here:

RyanZA's ExynosMemFix
Supercurio's Voodoo Anti ExynosMemAbuse v0.6
Chainfire's ExynosAbuse APK




The demo

What I am going to demo is running the exploit at boot, even though a fix that runs at boot is installed, on an exploitable device. After reading the rest of this article, find attached the ExynosExploitDemo APK. After installation, open the app, reboot your device, unlock your device (enter PIN, pattern, etc) and watch the screen like a hawk. Within a minute, a toast (bottom of the screen) notification will popup telling you whether the exploit worked. If it didn't work the first time, please try it at least 3 times. Once you are satisfied with the results, you should uninstall it again as it slows down the boot process.




Test setup

For each test I have completely factory reset the devices, and installed the "protection" APK before installing the exploit demo. Tests have been run on both Galaxy S3 as well as Galaxy Note 2, with and without SIMs installed. Tests were performed on December 18, 2012 with the most recent versions at that time.



BOOT_COMPLETED

Both RyanZA's as well as Supercurio's solution depend on Android launching the apps at boot (using the BOOT_COMPLETED mechanism), so they can plug the hole. This is a standard Android practise, The problem is, there is no guaranteed order in which apps are started at startup. A malicious app could also register to be started at boot (as the demo app does), and it would be a race whether the malicious exploit is run first, or the protection code. Luckily, you are more likely to have installed one of the patches before the malware, and the app that is installed first also has a better change of being run first - but is something that you cannot and should not rely on, nor does it guarantee the protection app will win the race, as explained below. The number of apps installed (and their package names, and what exactly they do at launch) may further influence which package "wins". What I'm trying to demonstrate here is that depending on this method of patching is unreliable at best.




The demo vs RyanZA's ExynosMemFix

RyanZA's is probably the least advertised/mentioned solution, which I expect is least used as well. The solution relies on BOOT_COMPLETED and "su" availability (like being rooted with SuperSU or Superuser), but does not rely on the exploit itself.

The reliance on "su" availability makes it vulnerable, it runs "su" to get the required access level to plug the hole. Even if installed before the malware and the system launches its startup code before the malware, the "su" call is an expensive one that can take an arbitrary amount of time to complete, regardless of the app having been granted permission before or not.

In my tests, even with ExynosMemFix installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds) if the root management app installed is Superuser. Due to the way the Superuser app is designed, it takes a longer time acknowledging the "su" request, giving the demo time to run the exploit. I have also seen ExynosMemFix generate an ANR error during testing a number of times, indicating that it may be calling "su" from the actual broadcast receiver (instead of a background thread), with all the problems that may cause.

When SuperSU is used, ExynosMemFix would always win against the demo in my tests (and thus the exploit fails), due to SuperSU responding much faster as it does not rely on the Android framework as Superuser does.

This solution can be somewhat secure, but even if used in combination with SuperSU, it cannot be guaranteed the malware does not launch first (I've seen it happen, but have not found the key to reproducing it yet). In combination with Superuser instead of SuperSU, the patch leaves a major hole.




The demo vs Supercurio's Voodoo Anti ExynosMemAbuse v0.6

Supercurio's is probably the most advertised/mentioned solution in general by media outlets. The solution relies on BOOT_COMPLETED and the exploit itself (but no "su" required).

The reliance on the exploit makes it vulnerable. The exploit may need to run a couple of times before it succeeds during boot, and it takes quite a few milliseconds to run. It runs the exploit to get the required access level to plug the hole. The exploit does however take some time to run, and both exploit as well as the hole-plugging-command must be completed before the malware starts, to effective block it.

In my tests, even with Voodoo Anti ExynosMemAbuse installed before the demo, and having verified it's code launched first, it would always lose against the demo (and thus the exploit succeeds). The protection code would launch before the demo code, but it would not complete (and fix the hole) before the malware was started, thus failing to block it.

Note that this specific case is probably especially sensitive to the number of apps you have installed - it may be the case that the more apps you have installed after this solution and before actual malware, the better the chance the protection will succeed before the malware is triggered. You can't possibly rely on this, though.

This solution is the least secure solution of all available options - it will leave a big hole open, you might as well not run any patch at all.




The demo vs Chainfire's ExynosAbuse APK

Mine is probably the second most advertised/mentioned solution. The solution relies on modifying /system and the exploit itself, with parts relying on "su".

This solution can root the device and install SuperSU as management app itself, though it also works with a pre-installed Superuser. It requires this to install the on-boot fix. After that patch is applied, you can unroot again (inside SuperSU: Settings --> Full unroot) - the patch will keep working. The patch itself does however modify /system, to make sure the fix is applied before any normal Android app is started with BOOT_COMPLETED, completely preventing the hole the demo app (and malware) would use to run the exploit. As such, the exploit always fails.

This solution is the most secure solution of the available options in this regard, topped only by actually fixing the exploit in the kernel.




Virus/malware/etc scanners

I have also noticed that various virus and malware scanners have updated their definitions in the past few days, and they will now detect the original ExynosAbuse exploit. Be warned however, that this specific hole can be exploited in many different ways and the example code provided by alephzain is just that: an example. I am not at all convinced that all different exploits based on this hole can even theoretically be reliably detected by these scanners - including Google's - unless every app is actually tested against in a sandbox environment (and even then ...). They may protect against those using the exploit as-is, though.




The big joke

The funny thing is, all the fixes that can actually work void warranty: mine requires modifying /system, RyanZA's requires root as well, and a proper fix requires a custom kernel.

In other words, right now you can't really protect yourself against this abuse without voiding your warranty. If there ever was a case for having laws against limitations of warranty, this is it. On a related note, any warranty denied because your system status is "modified" is also completely bogus, as a successful exploit might (outside of your knowledge) probably try to install their own backdoor in /system ... which might trigger "modified" status.

Also, if you're thinking this is complicated code, malware authors are not smart enough, etc - think again. Serious malware authors live and breathe this stuff, and the relevant code for this attack is rather trivial and only about 30 lines, including whitespace and actually showing you the exploit result.

Another joke is that I seriously doubt any major news outlet will post a correction, but hey at least I tried




Different test results

Let us please not make this thread about your test results being different. If you have read and understood all the text above, you would know that there are various factors that may throw the test outcome one way or the other. Unless your sure your different result is significant in being different, please do not clutter the thread with it.




Download
If you have a decent and updated virus scanner, it will likely scream at you for trying to download this. It is after all an exploit. You may need to turn it off if you want to test this for yourself.
Attached Files
File Type: apk ExynosExploitDemo.apk - [Click for QR Code] (232.6 KB, 5404 views)
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.
The Following 116 Users Say Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
Chainfire
Old
(Last edited by Chainfire; 19th December 2012 at 11:12 AM.)
#2  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,896
Posts: 9,076
Join Date: Oct 2007

 
DONATE TO ME
2012.12.19 Update
I have a new (private, yeah) version of the demo that now beats both Supercurio's (v0.9) as well RyanZA's solution 100% of the time
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.
The Following 12 Users Say Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
Chainfire
Old
#3  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,896
Posts: 9,076
Join Date: Oct 2007

 
DONATE TO ME
--- also reserved ---
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.
The Following 10 Users Say Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
lelinuxien52
Old
#4  
lelinuxien52's Avatar
Senior Member
Thanks Meter 56
Posts: 264
Join Date: Jun 2012
Location: Aix-en-Provence (04100)
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
Device : Sony Xperia Z1 (Black - International version C6903)
Current : Android JellyBean 4.4.4 -> Stock ROM : 14.4.A.0.108 - Root (Towelroot exploit) / Bootloader locked - but unlockable (TA partition saved)
Nokia 3310 > Sanyo S750 > Sony Ericsson K610i > Nokia 5800 Xpressmusic > Nokia N900 > Samsung Galaxy S3 > Sony Xperia Z1

If I help you, give me a "Thanks".
 
Chainfire
Old
#5  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt? - OP
Thanks Meter 49,896
Posts: 9,076
Join Date: Oct 2007

 
DONATE TO ME
Quote:
Originally Posted by lelinuxien52 View Post
Thanks for this thread. It's so fun !
But, I have solve the problem (I think) after flashing my phone with my kernel (exynos_mem files modified).
Yes, as stated, the best solution is a fixed kernel
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.
The Following User Says Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
supercurio
Old
#6  
supercurio's Avatar
Senior Recognized Developer
Thanks Meter 5,072
Posts: 3,529
Join Date: May 2010
Location: Chambéry

 
DONATE TO ME
My app clearly states the limitations of the approach (inside the app itself, leaves no doubt)

But it should not loose every time against the demo exploit at boot, so I'll change for a more aggressive way to start.
Thanks Chainfire for taking the time to test.
The Following 13 Users Say Thank You to supercurio For This Useful Post: [ Click to Expand ]
 
CitizenLee
Old
#7  
CitizenLee's Avatar
Senior Member
Thanks Meter 492
Posts: 2,336
Join Date: Aug 2009
Chains, it's not much but have an Export 33 on me mate: 8BH470706S240353D
Main Device: Google Nexus 5
Other Devices: Samsung Galaxy Note 2, Samsung Galaxy Tab 2 10.1, Samsung Galaxy S2, Motorola Moto G
Retired: HTC Hero, HTC Wildfire S, HTC Desire HD, Samsung Galaxy Note 1
Dropbox | Flickr
The Following User Says Thank You to CitizenLee For This Useful Post: [ Click to Expand ]
 
AndreiLux
Old
#8  
AndreiLux's Avatar
Senior Member
Thanks Meter 13,673
Posts: 2,778
Join Date: Jul 2011

 
DONATE TO ME
Well said.
 
SMARTPHONEPC
Old
(Last edited by SMARTPHONEPC; 18th December 2012 at 08:14 PM.)
#9  
SMARTPHONEPC's Avatar
Senior Member
Thanks Meter 37
Posts: 486
Join Date: May 2010
Quote:
Originally Posted by Chainfire View Post
Yes, as stated, the best solution is a fixed kernel
So when do you think Samsung+carriers will plausibly get around to officially fixing it?

Sounds more precarious to not try your workaround & there is reasonable deniability even if there is a warranty issue..?

Tomorrow I'd like to install the official T-Mobile SGH-T889 multi-window update followed by ExynosAbuse-v1.30.apk , anyone expect issues as this recently discovered exynos exploit is not listed as addressed in this likely tested for weeks update?:



So is ExynosAbuse-v1.30.apk now regarded as the best-easiest-fastest-safest reversible root method for stock ROM compatible devices (as it also offers a reversible exynos exploit work-around with full unroot)?

-Thanks
 
PIRATA!
Old
#10  
PIRATA!'s Avatar
Senior Member
Thanks Meter 96
Posts: 1,881
Join Date: Dec 2010
Location: Pisa, Italy

 
DONATE TO ME
Tried demo app this way:

- 2 times under WiFi and I get "Exploit FAIL" and the toast shows the directory that is something like "[!] ... /exynos-...."
- 1 time under 3G regular data connection and I still get "Exploit FAIL" but in the toast I don't see any more the directory but only the message

I use Chainfire's exploit app.

Am I secure???

Sent from my GT-i9300 using TapaTalk2
Samsung GalaxyS3 GT-i9300 / DeltaROM III / Boeffla Kernel / Greenify!
----------------------------------------------------------------------------------------------------------------------------
My NEW XDA contribution:
> Stock / Custom Bootanimations on Galaxy S3 <

You can donate to me.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes