[CVE-2013-3685][Root]Multiple LG Android devices, Sprite Software Backup

[DSiDewd]

-snip-

 

[pelrossvannak]

Root

Please explain me how to root LG F200S20e, I am a new android user. Thank you so much.

---------- Post added at 01:55 AM ---------- Previous post was at 01:30 AM ----------

how about LG F200S20e, android 4.1.2, May i use this file to root?

 

[Crossvxm]

Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

Author:
Justin Case - [email protected]

CVE ID:
CVE-2013-3685

Effect:
Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971 LG Optimus G
LG-E973 LG Optimus G
LG-E975 LG Optimus G
LG-E975K LG Optimus G
LG-E975T LG Optimus G
LG-E976 LG Optimus G
LG-E977 LG Optimus G
LG-F100K LG Optimus Vu
LG-F100L LG Optimus Vu
LG-F100S LG Optimus Vu
LG-F120K LG Optimus Vu
LG-F120L LG Optimus LTE Tag
LG-F120S LG Optimus LTE Tag
LG-F160K LG Optimus LTE 2
LG-F160L LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S LG Optimus LTE 2
LG-F180K LG Optimus G
LG-F180L LG Optimus G
LG-F180S LG Optimus G
LG-F200K LG Optimus Vu 2
LG-F200L LG Optimus Vu 2
LG-F200S LG Optimus Vu 2
LG-F240K LG Optimus G Pro
LG-F240L LG Optimus G Pro
LG-F240S LG Optimus G Pro
LG-F260K LG Optimus LTE 3
LG-F260L LG Optimus LTE 3
LG-F260S LG Optimus LTE 3
LG-L21 LG Optimus G
LG-LG870 LG (Unknown)
LG-LS860 LG Mach
LG-LS970 LG Optimus G
LG-P760 LG Optimus L9
LG-P769 LG Optimus L9
LG-P780 LG Optimus L7
LG-P875 LG Optimus F5
LG-P875h LG Optimus F5
LG-P880 LG Optimus 4X HD
LG-P940 LG Prada
LG-SU540 LG Prada 3.0
LG-SU870 LG Optimus 3D Cube
LG-US780 LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).

The LG870 is the LG Venice from Boost Mobile. I had that POS, no roms for that POS...

 

[Ras8]

LG optimus vu2 f200k

guys anyone know how to factory reset this device?, thnx

 

[Rachine35]

No more bloteware!!!

Thank you. I have been trying for months to get root access to this dam phone. You are awesome!!!

Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG Android devices.

Author:
Justin Case - [email protected]

CVE ID:
CVE-2013-3685

Effect:
Locally exploited vulnerability with minimal device user interaction which results in executing code as the root user. Under specific circumstances, it is possible to exploit this vulnerability without the device user's knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971 LG Optimus G
LG-E973 LG Optimus G
LG-E975 LG Optimus G
LG-E975K LG Optimus G
LG-E975T LG Optimus G
LG-E976 LG Optimus G
LG-E977 LG Optimus G
LG-F100K LG Optimus Vu
LG-F100L LG Optimus Vu
LG-F100S LG Optimus Vu
LG-F120K LG Optimus Vu
LG-F120L LG Optimus LTE Tag
LG-F120S LG Optimus LTE Tag
LG-F160K LG Optimus LTE 2
LG-F160L LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S LG Optimus LTE 2
LG-F180K LG Optimus G
LG-F180L LG Optimus G
LG-F180S LG Optimus G
LG-F200K LG Optimus Vu 2
LG-F200L LG Optimus Vu 2
LG-F200S LG Optimus Vu 2
LG-F240K LG Optimus G Pro
LG-F240L LG Optimus G Pro
LG-F240S LG Optimus G Pro
LG-F260K LG Optimus LTE 3
LG-F260L LG Optimus LTE 3
LG-F260S LG Optimus LTE 3
LG-L21 LG Optimus G
LG-LG870 LG (Unknown)
LG-LS860 LG Mach
LG-LS970 LG Optimus G
LG-P760 LG Optimus L9
LG-P769 LG Optimus L9
LG-P780 LG Optimus L7
LG-P875 LG Optimus F5
LG-P875h LG Optimus F5
LG-P880 LG Optimus 4X HD
LG-P940 LG Prada
LG-SU540 LG Prada 3.0
LG-SU870 LG Optimus 3D Cube
LG-US780 LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore system written by Sprite Software and deployed on LG Android smartphones. "Backup" is the end user front end app, and "spritebud" is the service that preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root user. Listening on a unix socket, the daemon accepts instructions from the "Backup" app. Using a crafted backup, we can write to, change permission and change ownership of any file, being that "spritebud" is running under the root user.


The crafted backup contains restore data for our exploiting application, "com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to increase our exploit window, su binary (b), a script (c) to install su, and a text file (d) containing the path to our script. All files are owned by the application, and are world write/read/execute. All files are restored in alphabetical order. The entire backup, after compress, is approximately 2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114 u0_a114 2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114 u0_a114 52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114 u0_a114 91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114 u0_a114 251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114 u0_a114 42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits. During restoration, the spritebud daemon first creates the files directory, then sets it's permission and owner. Next it decompresses and restores the "a" file, our 50mb dummy files. During the restoration of "a", our exploit application has time to symlink "d", our text file containing the full path to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file "d", our path is written to uevent_helper. When a hotplug even occurs (which occur every few seconds), the path contained in uevent_helper is execute by the kernel and our script (c) is executed and installs the su binary (b).

 

[vettinan]

It works perfectly on L9 P760 V20h.
Root in 30sec! Thanks!

 

[pelrossvannak]

Great work jcase !! :good: I successfully rooted T-mobile USA p769 20d version.. Tried to see if I had spritebud with terminal emulator which got no file found. Downloaded the pwn apk and decided to try anyways. Followed the backup / recovery steps. Phone rebooted by itself. Downloaded root checker with successful root result .. Props !!!

Which option we have to tick to back up?

 

[jhempelayo]

im sorry if im getting messy here

i got LG F260S from korea (gave as a gift)
im living here in the philippines
im looking for a custom rom for my LGF260S (hopefully with a process o how to do it)

thanks in advance

 

[francyesco]

Successfully rooted P760 EUR 20H:victory:

 

[M1NUSCOLO]

does this work on 20h

 

[techcaptain]

Hi, my friend has a F200K and needs to root. Since I don't know LG stuff, what do I do to root? Just install the apk? (Also is there any custom roms+themes for the f200k too?) thanks.

--
Sent from my awesome rooted, themed (S5 theme) SM-N900L using XDA Premium 4 mobile app

 

[trekker99]

For info: This exploit doesn't work on LG F5 with firmware p87510g-esa-xx.

 

[0utcast]

if you get /system/xbin/spritebud does not exist (I don't have the file at that location)

what is the issue. (running version 4.4.2) - LG-F260S LG Optimus LTE 3

• i've installed the .apk.
• enable debugger mode
• enable debugger mode on the application
• turned phone off and back on
• did a backup
• did a restore
• ran again same error

i'm a noob, go gently with the sandpaper to the arse.

 

[jcase]

if you get /system/xbin/spritebud does not exist (I don't have the file at that location)

what is the issue. (running version 4.4.2) - LG-F260S LG Optimus LTE 3

• i've installed the .apk.
• enable debugger mode
• enable debugger mode on the application
• turned phone off and back on
• did a backup
• did a restore
• ran again same error

i'm a noob, go gently with the sandpaper to the arse.

Means your phone is not compatible

Sent from my HTC One_M8 using XDA Premium 4 mobile app

 

[Donmali]

unable to root lg f200l

please... admin, is there a simplified method to successfully root lg f200l on android kitkat 4.4.2?

 

[the inebriated]

I don't see the Optimus F7 listed. Will it work?

 

[ekoms420]

LG spree k120

has anyone tried the Lg Spree K120 from cricket. cant seam to root it. anyhelp would be awesome.
thanks

 

[Mrhayman12]

Lg g4 might work im checking the sprint ver

 

[Gostang]

Re

has anyone tried the Lg Spree K120 from cricket. cant seam to root it. anyhelp would be awesome.
thanks

I had no problem rooting mine but im haveing trouble finding a recovery for twrp

 

[Smur99]

How did you root it?
Sent from my LG-K120 using XDA Free mobile app