[CVE-2013-3685][Root]Multiple LG Android devices, Sprite Software Backup

Search This thread

jcase

Retired Forum Mod / Senior Recognized Developer
Feb 20, 2010
6,331
15,774
Sequim WA
Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

Author:
Justin Case - [email protected]

CVE ID:
CVE-2013-3685

Effect:
Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971 LG Optimus G
LG-E973 LG Optimus G
LG-E975 LG Optimus G
LG-E975K LG Optimus G
LG-E975T LG Optimus G
LG-E976 LG Optimus G
LG-E977 LG Optimus G
LG-F100K LG Optimus Vu
LG-F100L LG Optimus Vu
LG-F100S LG Optimus Vu
LG-F120K LG Optimus Vu
LG-F120L LG Optimus LTE Tag
LG-F120S LG Optimus LTE Tag
LG-F160K LG Optimus LTE 2
LG-F160L LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S LG Optimus LTE 2
LG-F180K LG Optimus G
LG-F180L LG Optimus G
LG-F180S LG Optimus G
LG-F200K LG Optimus Vu 2
LG-F200L LG Optimus Vu 2
LG-F200S LG Optimus Vu 2
LG-F240K LG Optimus G Pro
LG-F240L LG Optimus G Pro
LG-F240S LG Optimus G Pro
LG-F260K LG Optimus LTE 3
LG-F260L LG Optimus LTE 3
LG-F260S LG Optimus LTE 3
LG-L21 LG Optimus G
LG-LG870 LG (Unknown)
LG-LS860 LG Mach
LG-LS970 LG Optimus G
LG-P760 LG Optimus L9
LG-P769 LG Optimus L9
LG-P780 LG Optimus L7
LG-P875 LG Optimus F5
LG-P875h LG Optimus F5
LG-P880 LG Optimus 4X HD
LG-P940 LG Prada
LG-SU540 LG Prada 3.0
LG-SU870 LG Optimus 3D Cube
LG-US780 LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).
 

Attachments

  • LGPwn.apk
    2.2 MB · Views: 63,711
Last edited:

o131313o

Member
Jun 30, 2013
6
0
Amazing Work

Great work jcase !! :good: I successfully rooted T-mobile USA p769 20d version.. Tried to see if I had spritebud with terminal emulator which got no file found. Downloaded the pwn apk and decided to try anyways. Followed the backup / recovery steps. Phone rebooted by itself. Downloaded root checker with successful root result .. Props !!!
 

zviki

Senior Member
Dec 30, 2008
1,401
211
Maribor
Great! It just works. Thanks man. And btw,smart move. :D
P.S. -Is this related to the recently discovered security hole in Android?

Sent from my LG-P760 using Tapatalk 2
 
Last edited:

Burmand

Member
Jul 18, 2013
26
4
Mabalacat City
Hello Jcase, first of all i am a total noob to this so sorry if i dont know how to make it work, but when i try to open the file it starts properly and when i click rootme the program returns with the backup has stopped and reboot my phone. what am i doing wrong?

My phone is a LG-F180S and i would love to get it rooted, i just bought this phone from a Korean and want to change it to the E975 version, been reading a lot of threads and tried a lot of rooting but nothing works.

Hope u can help me out,

Thx in advance
 

CrazyAssMoM

New member
Sep 1, 2012
2
0
54
Citrus Heights
NOOB like me...

Thank you,Thank you,Thank you,!!!
I am finally rooted...you are a GENIUS!
If a NOOB like me can root my T-mobile LG P769 , anyone can..lol
I just got this phone a week ago, and have been trying everything out there to get it rooted & your method finally worked.
Any good ideas on what to do now? I'm a little nervous, this phone seems to be a lot harder to break than my LG Esteem was.
(was using LG Esteem MS910,fully rooted,debloated,DeVerTedRom V2, 2.6.35.7-LD-ZVD_Speed_Kernel [email protected]#1)

Specs:
Android version
4.1.2
Baseband Version
L6260_MODEM_SIC_01.1305.00
Kernel Version
3.0.31
Build number
JZ054K
Software version
P76920f


Once again, THANK YOU :highfive:
 
Jul 20, 2013
41
3
Oregon
P76820F

Thanks a ton for uploading this, tried many methods of rooting ie: Lelus, SuperSu, etc. This worked so simply and with no need of previous experience. My LG Optimus L9 seemed impossible to root after the OTA to 20F Jelly Bean, thanks again for creating this wonderful application!
 
Last edited:

Ogre6473

Senior Member
Aug 20, 2008
188
22
Houston
If I wasn't a bum right now, I'd totally send a donation as thanks.

Sent from my LG-P769 using xda app-developers app
 

Knotsea

New member
Jun 30, 2013
3
0
When i download SuperSu, I get an error that states "There is no SU binary installed, and SuperSU cannot install it. This is a problem"
I have the L9 L769
 

Knotsea

New member
Jun 30, 2013
3
0
Still no success.

After 3 weeks of attempts, I have yet to root my L9 P769. I've had to live with my phone with an uncalibrated screen for much too long now. What was promised to be an easy task, has proven to be a huge mistake on my part. My friend was the one that convinced me to root my phone, and he was the one that wanted to root it. To make a long story short, he left me with an awesome phone that I cannot use to it's full potential. Not even half of it.
I have tried to figure this out on my own by reading through endless amounts of forums, and my main issue seems to be the dead links to the software I require to root my phone. I am beyond desperate to fix my phone, I have considered claiming it stolen to have it replaced with my insurance.
I have the LG Optimus L9 P769 10g ICS.
I am currently having an issue with the SuperSU. I would love any help.
 

Meda808

Senior Member
Nov 17, 2011
130
82
Chico, CA
After 3 weeks of attempts, I have yet to root my L9 P769. I've had to live with my phone with an uncalibrated screen for much too long now. What was promised to be an easy task, has proven to be a huge mistake on my part. My friend was the one that convinced me to root my phone, and he was the one that wanted to root it. To make a long story short, he left me with an awesome phone that I cannot use to it's full potential. Not even half of it.
I have tried to figure this out on my own by reading through endless amounts of forums, and my main issue seems to be the dead links to the software I require to root my phone. I am beyond desperate to fix my phone, I have considered claiming it stolen to have it replaced with my insurance.
I have the LG Optimus L9 P769 10g ICS.
I am currently having an issue with the SuperSU. I would love any help.

How did you get an uncalibrated screen were you trying to unlock the bootloader? how usable is it right now?

This is the method i used for rooting 10g. I had to read and execute a couple times to get the process right but all the software is provided in the thread.
 
Jun 12, 2013
16
6
And LG-P895 -_-

Sent from my LG-P895 using xda premium

---------- Post added at 09:57 PM ---------- Previous post was at 09:53 PM ----------

Did it will work wit LG Vu P895

Sent from my LG-P895 using xda premium
 

Top Liked Posts

  • There are no posts matching your filters.
  • 44
    Subject:
    Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

    Author:
    Justin Case - [email protected]

    CVE ID:
    CVE-2013-3685

    Effect:
    Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

    Products:
    "Backup"
    "spritebud"

    Vendors:
    Sprite Software
    LG Electronics
    Potentially other vendors

    Affected Versions:
    spritebud 1.3.24
    backup 2.5.4105
    Likely others versions as well

    Affected Devices (Subject to firmware configuration):
    LG-E971 LG Optimus G
    LG-E973 LG Optimus G
    LG-E975 LG Optimus G
    LG-E975K LG Optimus G
    LG-E975T LG Optimus G
    LG-E976 LG Optimus G
    LG-E977 LG Optimus G
    LG-F100K LG Optimus Vu
    LG-F100L LG Optimus Vu
    LG-F100S LG Optimus Vu
    LG-F120K LG Optimus Vu
    LG-F120L LG Optimus LTE Tag
    LG-F120S LG Optimus LTE Tag
    LG-F160K LG Optimus LTE 2
    LG-F160L LG Optimus LTE 2
    LG-F160LV LG Optimus LTE 2
    LG-F160S LG Optimus LTE 2
    LG-F180K LG Optimus G
    LG-F180L LG Optimus G
    LG-F180S LG Optimus G
    LG-F200K LG Optimus Vu 2
    LG-F200L LG Optimus Vu 2
    LG-F200S LG Optimus Vu 2
    LG-F240K LG Optimus G Pro
    LG-F240L LG Optimus G Pro
    LG-F240S LG Optimus G Pro
    LG-F260K LG Optimus LTE 3
    LG-F260L LG Optimus LTE 3
    LG-F260S LG Optimus LTE 3
    LG-L21 LG Optimus G
    LG-LG870 LG (Unknown)
    LG-LS860 LG Mach
    LG-LS970 LG Optimus G
    LG-P760 LG Optimus L9
    LG-P769 LG Optimus L9
    LG-P780 LG Optimus L7
    LG-P875 LG Optimus F5
    LG-P875h LG Optimus F5
    LG-P880 LG Optimus 4X HD
    LG-P940 LG Prada
    LG-SU540 LG Prada 3.0
    LG-SU870 LG Optimus 3D Cube
    LG-US780 LG Lollipop
    Potentially other devices as well.


    Product Information:

    "Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


    Details:

    The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


    The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


    drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


    ./files:
    - -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
    - -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
    - -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
    - -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


    Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).
    1
    Neither is the work, donation made, enjoy a beer or a cheap American six pack on me, ha.

    Sent from my LG-P769 using Tapatalk 2

    Thanks, will end up being pizza or ice cream for the kids
    1
    Enclosed. I grep'ed the logcat file for lgpwn, here is what came of it:

    I/ActivityManager( 350): START {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.cunninglogic.lgpwn/.MainActivity u=0} from pid 638
    I/ActivityManager( 350): Start proc com.cunninglogic.lgpwn for activity com.cunninglogic.lgpwn/.MainActivity: pid=2527 uid=10120 gids={1015, 1028}
    D/SurfaceFlinger( 142): createSurface for (1 x 1), name=Starting com.cunninglogic.lgpwn
    W/ActivityThread( 2527): Application com.cunninglogic.lgpwn is waiting for the debugger on port 8100...
    W/ActivityManager( 350): Activity idle timeout for ActivityRecord{418e27f8 com.cunninglogic.lgpwn/.MainActivity}

    In developer settings, do you have an app marked to be debugged?
    1
    Subject:
    Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

    Author:
    Justin Case - [email protected]

    CVE ID:
    CVE-2013-3685

    Effect:
    Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

    Products:
    "Backup"
    "spritebud"

    Vendors:
    Sprite Software
    LG Electronics
    Potentially other vendors

    Affected Versions:
    spritebud 1.3.24
    backup 2.5.4105
    Likely others versions as well

    Affected Devices (Subject to firmware configuration):
    LG-E971 LG Optimus G
    LG-E973 LG Optimus G
    LG-E975 LG Optimus G
    LG-E975K LG Optimus G
    LG-E975T LG Optimus G
    LG-E976 LG Optimus G
    LG-E977 LG Optimus G
    LG-F100K LG Optimus Vu
    LG-F100L LG Optimus Vu
    LG-F100S LG Optimus Vu
    LG-F120K LG Optimus Vu
    LG-F120L LG Optimus LTE Tag
    LG-F120S LG Optimus LTE Tag
    LG-F160K LG Optimus LTE 2
    LG-F160L LG Optimus LTE 2
    LG-F160LV LG Optimus LTE 2
    LG-F160S LG Optimus LTE 2
    LG-F180K LG Optimus G
    LG-F180L LG Optimus G
    LG-F180S LG Optimus G
    LG-F200K LG Optimus Vu 2
    LG-F200L LG Optimus Vu 2
    LG-F200S LG Optimus Vu 2
    LG-F240K LG Optimus G Pro
    LG-F240L LG Optimus G Pro
    LG-F240S LG Optimus G Pro
    LG-F260K LG Optimus LTE 3
    LG-F260L LG Optimus LTE 3
    LG-F260S LG Optimus LTE 3
    LG-L21 LG Optimus G
    LG-LG870 LG (Unknown)
    LG-LS860 LG Mach
    LG-LS970 LG Optimus G
    LG-P760 LG Optimus L9
    LG-P769 LG Optimus L9
    LG-P780 LG Optimus L7
    LG-P875 LG Optimus F5
    LG-P875h LG Optimus F5
    LG-P880 LG Optimus 4X HD
    LG-P940 LG Prada
    LG-SU540 LG Prada 3.0
    LG-SU870 LG Optimus 3D Cube
    LG-US780 LG Lollipop
    Potentially other devices as well.


    Product Information:

    "Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


    Details:

    The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


    The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


    drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


    ./files:
    - -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
    - -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
    - -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
    - -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


    Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).

    omg omg thank you man, you rock, finally managed to root my lg l9, props to you man, i didnt know how to check on spritebud and other stuff, but i said meh lets try it, i used root checker, it said im rooted,
    1
    hot plug trick

    It initially appeared that the exploit had been patched in P769 V20h, but I was able to get it to work.

    What I did was restore the backup and prior to clicking the button to restart, plugged the phone into my computer. I was prompted with a SuperSU confirmation dialog and I granted access.

    This hotplug wasn't necessary with previous ROM versions, but maybe something changed. I read that was how the exploit worked, so I thought I'd give it a try.


    Thanks! The hot plug trick worked for me on P76920h