Foxconn OEM Android phone discovered the“Pork Explosion”vulnerability-vulnerability warning-the black bar safety net

2016-10-24T00:00:00
ID MYHACK58:62201680505
Type myhack58
Reporter 佚名
Modified 2016-10-24T00:00:00

Description

Recently, security research experts JonSawyer publicly stated that he in some by the Foxconn OEM manufacturing of Android smartphones found a backdoor, the attacker or by the back door to the root user of Android phone. Prior to that, JohnSawyer ever for the United States Local Governments and law enforcement agencies to provide security consulting services, so he this discovery also caused no small sensation. ! Intentional or unintentional move? Surely you should all know Foxconn company? Foxconn currently being for a number of smartphone manufacturers OEM production, or a group with smartphones, and some manufacturers even allow Foxconn to develop the phone system firmware in the portion of the low-level code. According to Sawyer the discovery of Foxconn in the OEM manufacture of some of Android smartphone, the“deliberately”in the App bootstrap code, left a debug function, and in some special the help of the software, the attacker can use this Backdoor to attack the user's mobile phone. Sawyer said in an interview: “This vulnerability is the reason for existence, is entirely due to Foxconn's art”negligence“caused. The back door wasn't intentionally left behind, we are putting aside, but this mistake is indeed very scary. An attacker who can successfully exploit this vulnerability, then they will be able to bypass the Android Security Access Control, SELinux, and access to the target device full control, and then in the unauthenticated case to access the target device in the data. “Pork Explosion”vulnerability This is called“Pork Explosion”of the vulnerability not only of the attack is a powerful attack weapons, and for security forensics Expert and is also a great tool. In fact, it is because the phone exists in a wide variety of security vulnerabilities, IT security forensics experts who can smoothly from the target phone to extract various types of forensic data. According to Sawyer to disclose information due to this vulnerability will allow an attacker direct access to a single encryption device in the root shell, it security forensics personnel can also use this vulnerability to perform data extraction, blasting the key, or unlock the phone's bootloader(bootloader)。 Sawyer said: “In this vulnerability with the help of the attacker once got the target user of the smartphone, you can through the USB to disable SELinux, and then obtain the target device's root shell. In short, the attacker only needs one USB cable to complete the attack.” Sawyer said the discovery of the presence of the security vulnerability of the mobile phone is Foxconn OEM Infocus M810 and Nextbit Robin this two phone. He in August of this year it has been with Nextbit company as well as Google Android security team were contacted, and about the vulnerability information to relevant security personnel. Now, Nextbit has fixed the security vulnerability, but Infocus also no message update. Vulnerability analysis As the article mentioned, an attacker who can get to the target phone, they can via USB to disable SELinux, and access to the device rootshell for. In addition, the attacker can also through the adb commands, fastboot, and App guide app to the device to attack. So I will be on the Nexbit Robin App bootstrap analysis, which has a period of fastboot command caught my attention, and this command seems should not appear in this place. Specific as follows: LOAD:0F92F8DC fastboot_table ; CODE XREF:sub_F939888+174p LOAD:0F92F8DC LOAD:0F92F8DC var_C = -0xC LOAD:0F92F8DC LOAD:0F92F8DC STMFD SP!, {R4,LR} LOAD:0F92F8E0 MOV R4, #0xF9B9C14 LOAD:0F92F8E8 SUB SP, SP, #8 LOAD:0F92F8EC MOV R0, #0x2AE4 LOAD:0F92F8F0 MOV R1, #0xF140 LOAD:0F92F8F4 LDR R3, [R4] LOAD:0F92F8F8 MOVT R0, #0xF97 LOAD:0F92F8FC MOVT R1, #0xF92 LOAD:0F92F900 STR R3,[SP,#0x10+var_C] LOAD:0F92F904 BL fastboot_register LOAD:0F92F908 MOV R0, #0x2AEC LOAD:0F92F90C MOV R1, #0xDCB4

[1] [2] [3] [4] [5] next