-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vuln on 4.3+4.4: overwrite any file/device with the string "Permission denied" #284
Comments
Hello Vielleicht habt ihr ja die Möglichkeit auf deutsch zu antworten meine Daten
|
Thanks |
yes I'm with you to fight back. I'm trying to get my root back. |
This applies to any apps that request root permission and the user subsequently hits Deny. This only applies to 4.3+4.4 which use client/server instead of the traditional setuid model. The attacker only needs the ability to run executable code (such as embedded in a "libs" directory).
[exploit details withheld: contact me to discuss]
After the exploit code is run by an untrusted user, the user is presented with a permission request screen. Obviously there is no problem if the user allows permission. However, if the user denies permission, the string "Permission denied" is written into the file of the attacker's choice. This could have any number of consequences. Clearly this can be used to brick the phone. For example I could pass /dev/block/mmcblk0p40 and stick "Permission denied" at the beginning of the user's baseband or fastboot partition. Or I could break any apps on the writable data partition by overwriting their classes.dex.
The permission request screen can be easily hidden with a bit of WindowManager, Toast or Intent magic to get out of there before it even loads.
I don't know yet if the Permission denied string can be changed, but even as is, it means rogue apps can damage the phone which is pretty scary.
Other notes for 4.3/4.4 from my testing: su does not need to be setuid. I don't know why the install scripts still insist on making it setuid. I have tested on my own device and it works fine without setuid because of the client/server model. [This is a better resolution to CVE-2013-6770 instead of whatever hack was put in to fix the immediate problem.]
Obviously this code is not maintained and 4.3/4.4 are ancient history. Please only install this unmaintained su binary if you know what you are doing or want/need open sourced code at the expense of security. If not, you are safer for now with the closed source alternatives. I'll see if I can put in the time to make a formal pull-request.
The text was updated successfully, but these errors were encountered: