> I haven't seen a reference to this in the archives, so for the sake of > completeness here it is: > http://forum.xda-developers.com/showthread.php?t=1790104 > > Looks like on a number of devices you can symlink the block device > that gets mounted on /system to something like /data/local/tmp, and > then use debugfs to edit that file system. This allows rooting by the > local user, but also all sorts of nastiness by malicious apps that > might bundle a copy of debugfs and then change arbitrary files in > /system, raise privileges, etc.
So many things wrong here. What's actually happening is these devices have a line in their /init.rc scripts, which are run at boot as root by the init process, saying something like: mkdir /data/local/tmp 0771 shell shell For awhile after the release of Android 4.0 (ICS), a change was introduced to init where even if the "mkdir" of an init script failed, the provided path would be chmod'd/chown'd anyway to fix up the file permissions. This has since been fixed. In this exploit, some devices erroneously have /data/local as group-writable by group "shell", which is assigned to the Android Debugging Bridge (ADB) shell. As a result, if you replace /data/local/tmp with a symbolic link, the target will become shell-writable on reboot. The sane way to exploit this is to make /data shell-writable, and create or modify /data/local.prop to contain the string "ro.kernel.qemu=1", which causes ADB to retain root privileges rather than dropping to user "shell" since this property convinces it that the device is the emulator. Using debugfs to modify the filesystem is completely unnecessary and potentially destructive. This also can't be used by malicious apps, since you need user/group "shell" to replace /data/local/tmp with a symbolic link, and normal applications cannot be granted this user/group. Regards, Dan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/