After 40 hours of auditing code, I think I have a working method to gain root on the MB300. Long story short, from the code I went over, it appears I have the ability to now create mode 0666 block devices with any major/minor number I want.
The question is, can I get a block device with write access to the underlying mtd subsystem? I'm thinking a loopback block device to the existing mtdblock1 block device may work, but not entirely sure off the top of my head if that'll work due to how the loopback subsystem works. If anyone wants to create a mode 666 loopback device linked to another block device root owned w/ mode 0600 and mounted as a read-only filesystem, please do so as it will save me a little bit of time.
There also appears to be a reference to a /dev/root device for utilization on read-only file systems, but still need to investigate this.
Anyway, assuming I can actually initiate the creation of the mode 0666 block device and I do control the major/minor numbers, ideas on how to gain write access to an already mounted and existing mtd block device without the nosuid option set would be great.
I'll release more details once I've confirmed this is working as I want to evaluate how wide spread the vulnerability is.
Ideas and feedback are appreciated.
1. User land netlink message accepted. (confirmed)
2. Block device creation w/ mode 0666. (in progress)
3. Ability to control block device major/minor numbers. (confirmed)
4. Determination of block device to create. (pending)
5. Method of privilege escalation. (pending)