Android Exploit

출처: Nathaniel Husted, Augst 19, 2011, "Notes regarding Android OS System Development and Security as of Android 2.3.4"

7 Android Escalation of Privledge Attacks

Two attacks against the Android platform currently exist. These attacks

allow a user-level privledge to gain root privledges on the Android platform.

They both exploit userland vulnerabilities in Android. Some of these exploits

have been fixed, but the fixes depend on the manufacturer10

.

7.1 Rage Against The Cage

The Rage Against The Cage exploit takes advantage of a bug in the adb

code. The adb code on android performs certain actions as root at start up

but then drops root privledges using setuid. The exploit is in that the adb

code does not check if the setuid call succeeds of fails. If the call fails adb will

continue to run as the root user. Rage Against The Cage works by forking

enough children processes to reach the NPROC limit on the machine and

attempts to restart adb while NPROC is maxed. When this happens, the

setuid call will fail in adb and it will continue to run with root privledges.

Details can be found at http://intrepidusgroup.com/insight/2010/

09/android-root-source-code-looking-at-the-c-skills/.

7.2 Exploid

The exploid vulnerability takes advantage of the udev system on Android.

The Google developers removed a large amount of code from udev as it would

be implemented on Linux and moved the code into the init daemon. The

dillema is that the udev code used is susceptible to a bug that existed in

udev prior to 1.4.1 that did not verif that kernel messages it received came

from the kernel. In the Android OS this means that init would receive these

requests and init runs as root. A brief overview of the exploit is as follows:

1. Exploid copies it to a system directory writable to the shell user

2. It then sends a “NETLINK_KOBJECT_UEVENT” message to the

kernel.

3. Copied executable checks to see if it srunning as root..

4. When running as root, remounts system partition as read-write

5. Finally copies /system/bin/sh to /system/bin/rootshell and chmod’s

to 04711 to always run as root.

Details can be found at http://intrepidusgroup.com/insight/2010/

09/android-root-source-code-looking-at-the-c-skills/.

7.3 KillingInTheNameOf

The KillingInTheNameOf exploit is slightly different in that it takes advantage

of google’s custom shmem interface “ashmem”. The program maps the

system properties into a processes adress space. The vulnerability is that

they are not maped as write protected. The vulnerability then finds the

ro.secure property of adb and flips it. That allows any shell started by adb

to run as root. Rough details can be found in http://jon.oberheide.org/

files/bsides11-dontrootrobots.pdf.

7.4 ZimperLich

The ZimperLich follows the same structure as the Exploid vulnerability.

There are two major differences, though. First, ZimperLich attacks the

Zygote process on android and its lack of a check against the failure of setuid.

The Zygote process is the parent process which all Dalvik jails are

forked from. the other difference is that attacking Zygote does not require

a shell with a uid so the ZimperLich attack can be run from an APK. The

source code for ZimperLich can be found at http://c-skills.blogspot.

com/2011/02/zimperlich-sources.html.

7.5 GingerBreak

The GingerBreak exploit works in a similar manner to the Exploid vulnerability.

The difference is that in this case the exploit takes advantage of the

“vold” daemon improperly trusting messages recieved. A buffer underflow attack

is commited that causes and escalation of privledge attack. The attack

was found to work on on a number of devices from Android 2.2 to Android

3.0. The vulnerability is CVE-2011-1823. The very general description can be

found at https://groups.google.com/group/android-security-discuss/

browse\_thread/thread/1ac1582b7307fc5c. Source code for the exploit

can be found at http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.

html.

This has supposedly been fixed in newer versions of the Android source

11 as of May 2nd.