Project

General

Profile

RootingDevices » History » Version 33

Denis 'GNUtoo' Carikli, 03/28/2022 05:28 PM
fix typo

1 1 Denis 'GNUtoo' Carikli
h1. RootingDevices
2
3
h2. About root
4
5
Having root access on your computer empowers you to control your computer. Having users in control of their own computers is not a security vulnerability.
6
If you don't have root access, then you are locked out of your own computer, and this can be a very serious problem as you also have data in it, your data.
7
For instance if you can't copy your data outside and inside of the device, then you're stuck, and dependent on the software that is installed on that computer to use your data.
8
9 2 Denis 'GNUtoo' Carikli
In general, root is also required for being able to use any network protocol you wish or want to design as the tun/tap interface or other mechanism to send RAW packets requires root: It really enables you to use net neutrality and Internet design principles in practice.
10 3 Denis 'GNUtoo' Carikli
Some applications like "USB mountr":https://f-droid.org/en/packages/streetwalrus.usbmountr/ that makes use of the hardware features like the USB OTG to expose an USB iso over mass storage over the USB port require root. So it's a good idea to enable users to easily become root in Replicant.
11 1 Denis 'GNUtoo' Carikli
12
However it's a good security practice not to give root access to programs that don't need it, or to people that you don't trust, as it could give them full control of the system.
13
And even if you trust programs enough, they could have vulnerabilities which enable an attacker to get root access.
14
So once the user is in control and has root, it's then a good idea not to have any vulnerabilities that could enable attackers to get root once they have code running in your computer.
15
16
h2. Introduction
17
18 23 Denis 'GNUtoo' Carikli
Many Android distributions that are shipped on the devices took away the ability for users to become root.
19 1 Denis 'GNUtoo' Carikli
Because of that it's sometime necessary to become root within such distributions.
20
For instance it can enable you to backup and migrate your data from the stock Android distribution to Replicant, or enable to backup the stock OS, etc.
21
22 24 Denis 'GNUtoo' Carikli
While running the stock distribution is not interesting per se if it's not fully free software, it can still be useful to do reverse engineering for instance.
23
24 1 Denis 'GNUtoo' Carikli
h2. Root exploits
25
26 15 Denis 'GNUtoo' Carikli
|_. Vulnerability names |_. CVE |_. Affected software and versions |_. Free software implementation | Status |
27 29 Denis 'GNUtoo' Carikli
| Towelroot | "CVE-2014-3153":https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153 | Linux 3.5 to 3.15 | "GPLv3 version, improved from github":https://git.replicant.us/contrib/GNUtoo/tools/towelroot | Not yet tested |
28 15 Denis 'GNUtoo' Carikli
| * iovyroot
29 17 Denis 'GNUtoo' Carikli
* Pipe-iovec root | "CVE-2015-1805":https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805 | Linux 2.6x to 3.15 | * None of "the 4 implementations on github":https://github.com/search?q=CVE-2015-1805 were under a free software license | |
30 20 Denis 'GNUtoo' Carikli
| Ping-Pong Root | "CVE-2015-3636":https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636 | Linux ? to 4.1 | | |
31 26 Denis 'GNUtoo' Carikli
|/3. "Dirty COW":https://dirtycow.ninja/ |/3. "CVE-2016-5195":https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195 |/3. Linux 2.6.13 to 4.9 | * "List of some free and nonfree implementations":https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
32 19 Denis 'GNUtoo' Carikli
For the free implementations:
33
* "GPLv3 (+?) implementation in Go":https://github.com/mengzhuo/dirty-cow-golang
34 1 Denis 'GNUtoo' Carikli
* "GPLv3+ implementations in C++ and Go":https://github.com/gbonacini/CVE-2016-5195
35
* "MIT implementation in crystal (what is it?)":https://github.com/xlucas/dirtycow.cr | |
36 26 Denis 'GNUtoo' Carikli
| * "MIT implementation in C":https://github.com/scumjr/dirtycow-vdso | Uses assembly (x86_64 only at this time) |
37 27 Denis 'GNUtoo' Carikli
| * "LGPLv3(+?) implementation in C":https://github.com/nowsecure/dirtycow | Tried 'cowpy', but it didn't work on I9100G:
38 26 Denis 'GNUtoo' Carikli
* Tried replacing /system/bin/run-as from /system which is ro says "Done" but binary not changed
39
* Tried replacing /system.prop from / which is probably rw, says "Done" but binary not changed |
40 9 Denis 'GNUtoo' Carikli
41 21 Denis 'GNUtoo' Carikli
h2. Stock OS
42
43 31 Denis 'GNUtoo' Carikli
|_. Device |_. Android version |_. Kernel version | Status |
44
| GT-I9100G_CHN_CHN | 2.3.5 | 2.6.35.7 se.infra@SEI-30#2 | Failed |
45 33 Denis 'GNUtoo' Carikli
| Nexus 5 | 6.0.1 | 3.4.0-gcf10b7e | Failed. Tried cowpy with (tried replacing /default.prop wich is root:root 644). Compiled on top of Replicant 6.0 |
46 1 Denis 'GNUtoo' Carikli
47 31 Denis 'GNUtoo' Carikli
h2. Motivations
48 1 Denis 'GNUtoo' Carikli
49 31 Denis 'GNUtoo' Carikli
 A common use case is making a full backup of the device without relying on nonfree and non-redistributable software. This needs to be done for a variety of use cases:
50
 ** For people working on Replicant having a backup of the stock OS can be useful for reverse engineering. For instance work to make xgoldmon work with Replicant ([[XMMProtocolInterfaces]]) often requires to do comparisons between the stock OS and Replicant.
51
 ** In a free software user groups, we bought several smartphones (GT-I9300, Nexus 5, Pinephone) to enable people to become familiar with the installation of distributions on smartphones. Having complete backups enable to restore to the stock OS to do installations. This free software user group got several devices. For the GT-I9300 we resorted to hardware methods [1] to boot on a Parabola microSD and we did the complete backup this way. But for the Nexus 5 we probably need to find free software root exploits to do the full backup.
52
53
fn1. https://redmine.replicant.us/projects/replicant/wiki/Exynos4Bootrom#Loading-a-bootloader-from-SD
54 21 Denis 'GNUtoo' Carikli
55 9 Denis 'GNUtoo' Carikli
h2. References
56
57
* https://github.com/ucam-cl-dtg/android-vulnerabilities/