an Anroid device super user account is called root has rights and permissions over all files and programs on a UNIX-based system full control over the operating system Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 5 / 54
configuration or behavior modify the look and feel with custom themes or boot animations uninstall pre-installed applications, system backups and restores root apps: iptables-based firewalls, ad-blockers, overclocking audit the security of an Android device without being confined by UNIX permissions Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 6 / 54
for your Clock with out modifying APK files You can add custom text along with the clock, which will be displayed in status bar and notification bar You can add color to Date field in notification bar... You can choose your favorite font for clock & Date field in status bar & notification bar... You can add your favorite fonts into your /sdcard/fonts/ folder, it will be listed in the app You can add bar code fonts for clock & Date field in status bar & notification bar.. You can add shadow and color for clock and custom text as you like You can choose any color for status bar... You can make full transparent for notification Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 10 / 54
exposed to applications that have been granted proot premissions extract all data from the device Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 12 / 54
initialize the hardware, boot the kernel splash: first splash screen boot: boot image, Linux kernel (zImage) system the root file system ram disk (initrd) recovery: minimal Android boot image system: /system, framework, libraries, binaries, pre-installed applications userdata: /data, app data, pictures, videos cache radio Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 17 / 54
care of low-level hardware initialization (clocks, RAM, media) provides support for loading recovery images putting the phone into download mode Android kernel memory, I/O, memory protections, interrupt handlers, the CPU scheduler, device drivers, and finally mounts the root file system and starts the first user-space process init init.rc start some core Android services such as rild for telephony and mtpd for VPN access Zygote, Dalvik VM and System Server Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 18 / 54
the persistent storage at a low level flashing process via fastboot protocol, a proprietary protocol, or both these protocols facilitate executing various tasks including fashing NAND partitions, rebooting the device, downloading and executing an alternate kernel image, etc Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 19 / 54
end user from performing modifications to the device’s firmware unlocked boot loaders custom kernel, recovery image, or operating system image official mechanism in place that enables owners to unlock fastboot oem unlock HTC Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 20 / 54
a device can be recovered by an attacker uploading a custom Android boot image or flashing a custom recovery image Google accounts, documents, contacts, passwords factory data reset Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 21 / 54
to replace the entirety of the system software preinstalled on the device without wiping user data used to apply updates downloaded manually or Over-the-Air (OTA) ClockworkMode recovery or TeamWin Recovery Project (TWRP) Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 22 / 54
loader 2 use fastboot to flash customized recovery 3 use coustomized recovery to patch an su into /system/bin directory Chainfire SuperSU recovery provides a graphical prompt each time an application requests root access manage which applications or users should be granted root access automatically Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 23 / 54
a booted system soft root get a root shell through an unpatched security flaw vulnerability in the Android kernel vulnerability of a process running as root vulnerable program with the set-uid a symbolic link attack against a file permission bug Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 25 / 54
lot of vulnerable C/C++ code. You may write these vulnerable code in the future. The vulernabilities may cause a considerable damage, even affact the national security.
argument specifies a communication domain; this selects the protocol family which will be used for communication. These families are defined in <sys/socket.h>. The currently understood formats include: Name Purpose Man page AF_UNIX, AF_LOCAL Local communication unix(7) AF_INET IPv4 Internet protocols ip(7) AF_INET6 IPv6 Internet protocols ipv6(7) AF_IPX IPX - Novell protocols AF_NETLINK Kernel user interface device netlink(7) AF_X25 ITU-T X.25 / ISO-8208 protocol x25(7) AF_AX25 Amateur radio AX.25 protocol AF_ATMPVC Access to raw ATM PVCs AF_APPLETALK AppleTalk ddp(7) AF_PACKET Low level packet interface packet(7) Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 28 / 54
int (*release) (struct socket *sock); 91 int (*bind) (struct socket *sock, struct sockaddr *umyaddr, 92 int sockaddr_len); 93 int (*connect) (struct socket *sock, struct sockaddr *uservaddr, 94 int sockaddr_len, int flags); 95 int (*socketpair) (struct socket *sock1, struct socket *sock2); 96 int (*accept) (struct socket *sock, struct socket *newsock, 97 int flags); 98 int (*getname) (struct socket *sock, struct sockaddr *uaddr, 99 int *usockaddr_len, int peer); 100 unsigned int (*poll) (struct file *file, struct socket *sock, struct poll_table_struct *wait 101 int (*ioctl) (struct socket *sock, unsigned int cmd, 102 unsigned long arg); 103 int (*listen) (struct socket *sock, int len); 104 int (*shutdown) (struct socket *sock, int flags); 105 int (*setsockopt) (struct socket *sock, int level, int optname, 106 char *optval, int optlen); 107 int (*getsockopt) (struct socket *sock, int level, int optname, 108 char *optval, int *optlen); 109 int (*sendmsg) (struct socket *sock, struct msghdr *m, int total_len, struct scm_cooki 110 int (*recvmsg) (struct socket *sock, struct msghdr *m, int total_len, int flags, struc 111 int (*mmap) (struct file *file, struct socket *sock, struct vm_area_struct * vma); 112 ssize_t (*sendpage) (struct socket *sock, struct page *page, int offset, size_t size, int f 113 }; Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 30 / 54
out_fd, int in_fd, off_t *offset, size_t count); sendfile() copies data between one file descriptor and another. Because this copying is done within the kernel, sendfile() is more efficient than the combination of read(2) and write(2), which would require transferring data to and from user space Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 31 / 54
defines how many processes a give UID can have running adb deamon <-> adb server /* run under root privileges */ /* don't listen on a port (default 5037) if running in secure mode */ /* don't run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setuid(AID_SHELL); setgid(AID_SHELL); ... } Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 34 / 54
ADB shell (under shell UID) fork processs until the fork call fails (exceed RLIMIT_NPROC) kill adbd (restart as root again) adbd cannot drop privileges to shell because the process limit Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 36 / 54
a negative index can be use .text low high GOT .data −n heap Figure 8-7: Negative GOT index from the heap Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 39 / 54
proper check for negative indexes. The following output from gi t diff shows the relevant change. Patch for the Missing Bounds Check in handlePartitionAdded with f3d3ce5 --- a/DirectVolume.cpp +++ b/DirectVolume.cpp @@ -186,6 +186,11 @@ void DirectVolume: :handlePart i t ionAdded (const char *devpath, Net l inkEvent *evt) part_num = 1; } ↓ The missing bounds checks are added here. + if (part_num > MAX_PARTITIONS | | part_num < 1) { + SLOGW("Inval id ' PARTN ' value"); + part_num = 1; + } + if (part_num > mDiskNumParts) { mDiskNumParts = part_num; } This is a classic instance of a write-four primitive. This primitive describes the situation where an attacker-controlled 32-bit value is written to an attacker- Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 41 / 54
an image of the main memory of the computer. It may be used, for example, to examine (and even patch) the system. /dev/exynos-mem Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 42 / 54
management Memory management Filesystems Device control Networking Arch- dependent code Memory manager Character devices Network subsystem CPU Memory Concurrency, multitasking Virtual memory Files and dirs: the VFS Kernel subsystems Features implemented Software support Hardware IF drivers Block devices File system types Ttys & device access Connectivity Disks & CDs Consoles, etc. Network interfaces The System Call Interface Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 43 / 54
= exynos_mem_open, .release = exynos_mem_release, .unlocked_ioctl = exynos_mem_ioctl, .mmap = exynos_mem_mmap, } Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 46 / 54
for the function handling /proc/kallsyms parse /proc/kallsyms to find the address of the function to remove permission check and executes the setresuid system call in user space reverse the changes it made to kernel memory and execute a root shell a simple patch could be to set permissions to 0660 or 0600 Bob Mingshen Sun ANSR Lab Group Study September 14, 2015 47 / 54
mssun
kitachan_black
hpprc
koheishinden
masatoto
maepon
ailaboocu
koshiba_noriaki
taka88
nnchiba
yuukit
yag_ays
shlominoach
productmarketing
sachag
bermonpainter
pauljervisheath
skipperchong
holman
moore
iamctodd
zenorocha
tanoku
![Exynos4: exynos-abuse What goes wrong? #ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem",](https://files.speakerdeck.com/presentations/9fedcadc231541fdb8c5e3e2094c282b/slide_44.jpg){kind=link}
