출처: Nathaniel Husted, Augst 19, 2011, "Notes regarding Android OS System Development and Security as of Android 2.3.4"
7 Android Escalation of Privledge Attacks
Two attacks against the Android platform currently exist. These attacks
allow a user-level privledge to gain root privledges on the Android platform.
They both exploit userland vulnerabilities in Android. Some of these exploits
have been fixed, but the fixes depend on the manufacturer10
.
7.1 Rage Against The Cage
The Rage Against The Cage exploit takes advantage of a bug in the adb
code. The adb code on android performs certain actions as root at start up
but then drops root privledges using setuid. The exploit is in that the adb
code does not check if the setuid call succeeds of fails. If the call fails adb will
continue to run as the root user. Rage Against The Cage works by forking
enough children processes to reach the NPROC limit on the machine and
attempts to restart adb while NPROC is maxed. When this happens, the
setuid call will fail in adb and it will continue to run with root privledges.
Details can be found at http://intrepidusgroup.com/insight/2010/
09/android-root-source-code-looking-at-the-c-skills/.
7.2 Exploid
The exploid vulnerability takes advantage of the udev system on Android.
The Google developers removed a large amount of code from udev as it would
be implemented on Linux and moved the code into the init daemon. The
dillema is that the udev code used is susceptible to a bug that existed in
udev prior to 1.4.1 that did not verif that kernel messages it received came
from the kernel. In the Android OS this means that init would receive these
requests and init runs as root. A brief overview of the exploit is as follows:
1. Exploid copies it to a system directory writable to the shell user
2. It then sends a “NETLINK_KOBJECT_UEVENT” message to the
kernel.
3. Copied executable checks to see if it srunning as root..
4. When running as root, remounts system partition as read-write
5. Finally copies /system/bin/sh to /system/bin/rootshell and chmod’s
to 04711 to always run as root.
Details can be found at http://intrepidusgroup.com/insight/2010/
09/android-root-source-code-looking-at-the-c-skills/.
7.3 KillingInTheNameOf
The KillingInTheNameOf exploit is slightly different in that it takes advantage
of google’s custom shmem interface “ashmem”. The program maps the
system properties into a processes adress space. The vulnerability is that
they are not maped as write protected. The vulnerability then finds the
ro.secure property of adb and flips it. That allows any shell started by adb
to run as root. Rough details can be found in http://jon.oberheide.org/
files/bsides11-dontrootrobots.pdf.
7.4 ZimperLich
The ZimperLich follows the same structure as the Exploid vulnerability.
There are two major differences, though. First, ZimperLich attacks the
Zygote process on android and its lack of a check against the failure of setuid.
The Zygote process is the parent process which all Dalvik jails are
forked from. the other difference is that attacking Zygote does not require
a shell with a uid so the ZimperLich attack can be run from an APK. The
source code for ZimperLich can be found at http://c-skills.blogspot.
com/2011/02/zimperlich-sources.html.
7.5 GingerBreak
The GingerBreak exploit works in a similar manner to the Exploid vulnerability.
The difference is that in this case the exploit takes advantage of the
“vold” daemon improperly trusting messages recieved. A buffer underflow attack
is commited that causes and escalation of privledge attack. The attack
was found to work on on a number of devices from Android 2.2 to Android
3.0. The vulnerability is CVE-2011-1823. The very general description can be
found at https://groups.google.com/group/android-security-discuss/
browse\_thread/thread/1ac1582b7307fc5c. Source code for the exploit
can be found at http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.
html.
This has supposedly been fixed in newer versions of the Android source
11 as of May 2nd.