Android 4.4.2 Local Root Vulnerability

Phonegasm · Jun 14, 2014

Changing this to a learning question.
How did Samsung or other vendors fix this vulnerability?
It's not as simple as formating the SD card and running a specially formatted apk?
Thanks for any information.

http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3,-or-fixing-an-old-local-root

Quote from their site:
"The vulnerability here is rather obvious: there is no check on the "id" variable, which is the name given by the user to its ASEC container. It is therefore possible to perform a basic path traversal, to create the ASEC file and its mount point in a different directory than expected, as for example one the "attacker" can write into.

The following code is then responsible for the creation of the mount point:

Code:

if (mkdir(mountPoint, 0000)) {
  if (errno != EEXIST) {
    SLOGE("Mountpoint creation failed (%s)", strerror(errno));
    if (cleanupDm) {
      Devmapper::destroy(idHash);
    }
    Loop::destroyByDevice(loopDevice);
    unlink(asecFileName);
    return -1;
  }
}
[...]
mountStatus = xxx::doMount(dmDevice, mountPoint, false, 
                 false, false, ownerUid, 0, 0000, false);

This means that if the mount point already exists, no error is raised, and the container is correctly mounted in "mountPoint". Guess what? If "mountPoint" already exists AND is a symlink to an existing directory, the ASEC container will be mounted over this directory. And the user will have full access to it, allowing him to write new files inside.

There are many ways of exploiting this vulnerability to gain root privileges.

Last detail about this vulnerability: it requires permissions to create ASEC containers. The "shell" user, as used by adb, has the requiered privileges. For the vulnerability to be exploited from an application, it needs the ASEC_* permissions (such as ASEC_CREATE)."

designgears · Jun 14, 2014

It has been patched.

K-alz · Jun 14, 2014

designgears said:
It has been patched.

[emoji115]this guy! is watching the threads secretly and I believe he is/has been doing some work

from my locked note 3!

davidstre · Jun 14, 2014

I think he knows it's patched but wants to know how it was patched so he can learn a bit.

Sent from my SM-G900V using XDA Premium 4 mobile app

starfall42 · Jun 14, 2014

The code for the actual fix is in the linked blog post. It doesn't allow directory names starting with .. or /, eliminating the ability to turn "/mnt/asec/mydirectory" into something like "/mnt/asec/../../system/xbin". In Linux , .. means go up a directory so that would translate to "/system/xbin".

Many distributions of Android have their own patchsets that are released before the official ones from Google. I'm not sure when Samsung introduced it into their release of Android, but it's definitely in the last released version which is why we can't use this for root.

jcase · Jun 14, 2014

This is the vulnerability I used in the videos i posted a few months back for Moto X, and reported to Google (it is exploitable on some devices without user interaction, rouge apps can use it on some devices to do bad things without the user knowing).

Google provides security fixes to OEMs with a minimum 90day embargo, OEMs have the fixes at least 90 days before the fixes end up on AOSP. In addition, it was already mitigated by SEAndroid policies on many devices, including Note 3, S4, and S5. So it was useless for those devices already.

It is also patched on s5, and newer note3 and S4 firmware.

It was patched by sanitizing the path, checking for traversal and failing if detected.

For an actual implementation of this (that I published after the blog you linked to detailed the vulnerability), see my exploit here http://xdaforums.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623

Phonegasm said:
Changing this to a learning question.
How did Samsung or other vendors fix this vulnerability?
It's not as simple as formating the SD card and running a specially formatted apk?
Thanks for any information.

http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3,-or-fixing-an-old-local-root

Quote from their site:
"The vulnerability here is rather obvious: there is no check on the "id" variable, which is the name given by the user to its ASEC container. It is therefore possible to perform a basic path traversal, to create the ASEC file and its mount point in a different directory than expected, as for example one the "attacker" can write into.

The following code is then responsible for the creation of the mount point:

Code:

if (mkdir(mountPoint, 0000)) { if (errno != EEXIST) { SLOGE("Mountpoint creation failed (%s)", strerror(errno)); if (cleanupDm) { Devmapper::destroy(idHash); } Loop::destroyByDevice(loopDevice); unlink(asecFileName); return -1; } } [...] mountStatus = xxx::doMount(dmDevice, mountPoint, false, false, false, ownerUid, 0, 0000, false);

This means that if the mount point already exists, no error is raised, and the container is correctly mounted in "mountPoint". Guess what? If "mountPoint" already exists AND is a symlink to an existing directory, the ASEC container will be mounted over this directory. And the user will have full access to it, allowing him to write new files inside.

There are many ways of exploiting this vulnerability to gain root privileges.

Last detail about this vulnerability: it requires permissions to create ASEC containers. The "shell" user, as used by adb, has the requiered privileges. For the vulnerability to be exploited from an application, it needs the ASEC_* permissions (such as ASEC_CREATE)."

Topics

Topics

Android 4.4.2 Local Root Vulnerability

Phonegasm

Member

designgears

Inactive Recognized Developer

K-alz

Senior Member

davidstre

Senior Member

starfall42

Member

jcase

Retired Forum Mod / Senior Recognized Developer

Similar threads

Top Liked Posts

New posts