Android Root Source Code: Looking at the C-Skills
This is a bit of a follow up to our previous post, but we thought it would be interesting to dissect the source code of two of the recent Android root attacks: the udev exploit and the adb setuid exhaustion attack. The c-skillz site has posted the code for both exploits in the downloads available from their site. As they state, these attacks work basically against all Android phones released to date (and probably future ones if they run Android 2.1 or 2.2).
The udev exploit gained attention as one of the first attacks used against the Droid X, but was posted on the c-skillz site about a week before it made a great deal of noise on other blogs and forums. The download also included a README file which points out this attack mainly follows the exploit reported against udev and patched in 2009. Here’s a link to the CVE it points out: CVE-2009-1185.
Android does not have a separate udev executable and process link on standard Linux deployments. However, large portions of the udev code have been moved into the init daemon (init, like on a standard Linux system, is typically the first userland process and runs as root). In a simplistic and brief nutshell, udev offers dynamic management of devices; notably, it allows standard users to “hotplug” devices that may require root level access, such as a USB device. The kernel will pass a message to the userland udev demon, which will in turn act on the message. The issue is that versions of udev before 1.4.1 did not verify if these messages actually came from the kernel. Thus, a rogue application can submit a message to udev and have an action executed (which in the case of Android, is the init process running as root). While the kernel will need to be updated to send credentials with its messages to udev, the userland udev/init process is really where this vulnerability exists. I had originally referred to this as a kernel exploit, but that would technically be incorrect.
So here’s a quick overview of the exploid.c code: when the application runs, it copies itself to the sqlite_stmt_journals directory (remember, we’re not root yet, so we need a directory the “shell” user can write to). It will then send a NETLINK_KOBJECT_UEVENT message to run the copy of itself when the next hotplug event is triggered. The copied version of the executable then check if it is being run as root (this is our userland udev/init process) and if so, remounts the system partition (which is normally mounted as a read-only partition) and dumps a copy of /system/bin/sh as /system/bin/rootshell with the permissions of 04711 (executable with the user ID bit set so it always runs as root).
Now lets look at the adb setuid exhaustion attack. Compiled, this typically has the name “rageagainstthecage” and the code refers to it has “CVE-2010-EASY” in one comment, but whatever you call it, it’s a pretty smooth way of getting adbd (android’s debugging bridge daemon) to run as root. First the code will check that there is an NPROC setting. This is the maximum number of simultaneous processes which the system will allow. A quick “ulimit -a” once connected over adb should show you this setting for your device (this is set to 3301 processes on a Droid Incredible). The code will then try to find the process ID of the currently running adb daemon on the device. After that, the attack starts a loop to generated processes until it can no longer fork any more processes. Once the limit is hit, one process is killed off and the adb daemon process is restarted. As the code comment points out, this is a bit of a race at this point to make sure the adb can restart, but the number of processes stays maxed out. When the adb daemon starts up on an Android device, it is running as root. The code will later check if it should stay as root, or run in “secure” mode which drops its privileges to the “shell” account. This attack attemps to max out the process so that when the adb daemon attempts to call “setuid” in its code, the call will fail. The current adb code does not check if the setuid call was successful or not, so will happily keep running as root even if this fails.
Post a comment or leave a trackback: Trackback URL.
4 Comments
This has been a very popular post for the past few days…. no comments?
It probably stems from the recent news of certain root kit infected apps on the Market Place that is malicious in content. Found here
http://www.guardian.co.uk/technology/blog/2011/ma…
nice posting
Well it was linked from http://www.guardian.co.uk/technology/blog/2011/ma…
15 Trackbacks
[...] is rageagainsthecage and how does it give me root? The answer is actually posted in full at the Android Root Source Code. Below is just a sloppy paraphrase, but I hope it helps makes sense of the genius behind Mr. [...]
[...] [1] http://intrepidusgroup.com/insight/2010/09/android-root-source-code-looking-at-the-c-skills/ [...]
[...] postings. However, occasionally, vulnerability information does get circulated (for instance on the Insight web page) but the vulnerabilities can usually only be exploited to “root” a device. [...]
[...] occasionally, vulnerability information does get circulated (for instance on the Insight web page) but the vulnerabilities can usually only be exploited to “root” a device. [...]
[...] und zu tauchen dennoch Informationen über Schwachstellen (etwa im Dienst init) auf, die in der Regel jedoch bislang nur zum “Rooten” eines Gerätes benutzt werden. [...]
[...] Besides compatibility updates, the new Unrevoked now uses another exploit under the hood, which is supposed to be more reliable than the previously used (and now infamous) rageagainstthecage. [...]
[...] [...]
[...] details of how the root code works are here. Note that this is a “privilege escalation” attack – once the app starts it uses the fact that it [...]
[...] details of how the root code works are here. Note that this is a “privilege escalation” attack – once the app starts it uses the fact that it [...]
[...] attack are relatively old but work with the Android versions used by most of the Android phones. A very good description of both exploits was published in September 2010 by Intrepidus [...]
[...] code can go much further in rooting through a phone. Update: details of how the root code works are here. Note that this is a “privilege escalation” attack – once the app starts it uses the fact that it [...]
[...] S gibt es das “Super One Click Tool”, das auch bei 2.2.1 mit den Exploits psneuter und rageagainstthecage rooten kann (wenn auch nicht alle 2.2.1er-Firmwares). Die lange Anleitung pusht ja auch in 2.2.1 [...]
[...] details of how the root code works are here. Note that this is a “privilege escalation” attack – once the app starts it uses the fact that it [...]
[...] I dug even futher and came to this site, explaining exactly how this exploit works: http://intrepidusgroup.com/insight/2010/09/android-root-source-code-looking-at-the-c-skills/ [...]
[...] Android Root Source Code Looking at the C-Skills – Intrepidus Group – Insightandroid 获得root权限解密(页 1) – 移动开发 – ChinaUnix.net – Powered by Discuz! ArchiverC skills Evolution of race condition exploits (CVE-2011-0727 trickery)C skillsMuch simpler guide for rooting (no pc required) – Droid Forum – Verizon Droid & the Motorola Droid ForumReversing Latest Exploid Release « .dtorsRooting the Droid without rsd lite up to and including FRG83D – Android Forumsz4ziggy-z4control – GitHubZiggy’s of the world[HOW TO] Root without using ADB – Page 11 – Droid Forum – Verizon Droid & the Motorola Droid Forum[HOW TO] Root without using ADB – Page 12 – Droid Forum – Verizon Droid & the Motorola Droid Forum [...]