Local Privilege Escalation Found

This is a discussion on Local Privilege Escalation Found within the Motorola Backflip Development & Hacking forums, part of the Motorola Backflip category; <Professor Farnsworth voice> Terrible news everyone! As of release 12.1199, the Motorola Backflip shipped with Linux kernel 2.6.17 and is vulnerable to the "do_mremap() mess" ...

Results 1 to 10 of 10

Thread: Local Privilege Escalation Found

  1. #1
    Junior Member mcferguson's Avatar
    Join Date
    Jul 2010
    Posts
    5

    Lightbulb Local Privilege Escalation Found

    <Professor Farnsworth voice>

    Terrible news everyone! As of release 12.1199, the Motorola Backflip shipped with Linux kernel 2.6.17 and is vulnerable to the "do_mremap() mess" bug, which allows local privilege escalation!

    National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-0291)

    I've checked the kernel source code on Motorola's site, and it does indeed seem to be unpatched (my C is a little rusty though, so you may verify for yourselves).

    But good news everyone! I'm sure this exploit will soon be fixed in an upcoming "over the air" release from AT&T and Motorola. Hopefully nobody will create an exploit for this vulnerability in the mean time.

    Here is a link to the specific ARM patch:

    git.kernel.org - linux/kernel/git/torvalds/linux-2.6.git/blobdiff - arch/arm/kernel/sys_arm.c

    I will post more information as I can uncover it. Please feel free to add anything (ahem, working source code ...) you can get. I may even need to install Linux once again ... ;(

    Happy hacking!



    Michael

  2. Android.net is the premier Android Forum. Registered users do not see these ads. .

  3. #2
    Junior Member MLBZ521's Avatar
    Join Date
    Jul 2010
    Posts
    25
    Seriously? I hope this isn't fixed in the 13.37 update...

    And I hope this can be exploited... ((Waits for testing...))

    We thank you for the support/development for our phone. We have a Root Bounty up, might interest you if you continue working for our cause.

  4. #3
    Moderator moosefist's Avatar
    Join Date
    Mar 2010
    Posts
    121
    I got so sick of digging through CVE's I gave up on this route months ago.

    Thanks for finding this, when you say you looked at the kernel source, was that the 1199 source or the latest branch?

    I hope someone knows what to do with this :D

  5. #4
    Junior Member mcferguson's Avatar
    Join Date
    Jul 2010
    Posts
    5
    CVE-2010-0291 is unpatched in the kernel contained in release 1199.. unfortunately I cannot find any published exploits for it, and I am not the man to make one. Fortunately an earlier suggestion posted by MLBZ521 (ImpelDown.c, CVE-2009-3547) is also unpatched in 1199, and the exploit code already exists. I think that may be the much easier route...

  6. #5
    Junior Member MLBZ521's Avatar
    Join Date
    Jul 2010
    Posts
    25
    Wait, I made what suggestion?

    Heh, I'd love to take credit, but I can not. I think you might mean someone else Professor. ;P

  7. #6
    Junior Member met3ora's Avatar
    Join Date
    Apr 2010
    Posts
    10
    Here's some proof of concept on this particular exploit: http://seclists.org/bugtraq/2004/Jan/49

    If someone can run this C code on their device, we can tell if our devices are exploitable or not (officially).



  8. #7
    Junior Member techfury90's Avatar
    Join Date
    Mar 2010
    Posts
    28
    Quote Originally Posted by met3ora View Post
    Here's some proof of concept on this particular exploit: Bugtraq: Re: Linux kernel do_mremap() proof-of-concept exploit code

    If someone can run this C code on their device, we can tell if our devices are exploitable or not (officially).


    I don't think that's it.... that's from 2004. Might be a different vuln in the same function.

  9. #8
    Junior Member mcferguson's Avatar
    Join Date
    Jul 2010
    Posts
    5
    Oops -- ImpelDown.c was actually mentioned in a post by weasel5i2. In any case, I confirmed that mmap_min_addr setting is set to 4096 on Android, so apparently that is why the exploit failed (despite the unpatched kernel). I may try again myself tonight just to test it, but it looks like we are back to CVE-2010-0291.

  10. #9
    Moderator SSeymour's Avatar
    Join Date
    Mar 2010
    Posts
    97
    Yeah definantly not working compiled and ran in the /data/local directory

  11. #10
    Junior Member mcferguson's Avatar
    Join Date
    Jul 2010
    Posts
    5
    I just noticed that, according to the file list posted by another user (sorry, cannot find post at the moment), the zygote binary is SUID root and world writable. I hope it really isn't going to be THAT easy. :P

Remove Ads

http://www.scramblerducati.org/

Sponsored Links

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Similar Threads

  1. Disable Stock Bloatware Apps
    By G2 Forum User in forum HTC G2
    Replies: 2
    Last Post: 10-19-2010, 09:39 PM
  2. Sense UI vs MotoBlur vs Samsung UI
    By Epic Forums User in forum Samsung Epic 4G
    Replies: 4
    Last Post: 08-07-2010, 06:13 PM

Search tags for this page

cve-2009-3547 android
,

cve-2010-0291 exploit example

,
how to turn off dlna on droid x
,
linux kernel for motorola backflip blur
,
local privilege escalation linux source code
Click on a term to search our sites for related topics.
Android Forum