首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sprite Software Android Race Condition
来源:vfocus.net 作者:Case 发布时间:2013-06-26  
Subject:
Race condition in Sprite Software's backup software, installed by OEM on LG
Android devices.

CVE ID:
CVE-2013-3685

Initial disclosure:
https://plus.google.com/110348415484169880343/posts/Me2yea2PgwE

Source:
https://github.com/CunningLogic/LGPwn

Effect:
Locally exploited vulnerability with minimal device user interaction which
results in executing code as the root user. Under specific circumstances,
it is possible to exploit this vulnerability without the device user's
knowledge

Products:
"Backup"
"spritebud"

Vendors:
Sprite Software
LG Electronics
Potentially other vendors

Affected Versions:
spritebud 1.3.24
backup 2.5.4105
Likely others versions as well

Affected Devices (Subject to firmware configuration):
LG-E971   LG Optimus G
LG-E973   LG Optimus G
LG-E975   LG Optimus G
LG-E975K  LG Optimus G
LG-E975T  LG Optimus G
LG-E976   LG Optimus G
LG-E977   LG Optimus G
LG-F100K  LG Optimus Vu
LG-F100L  LG Optimus Vu
LG-F100S  LG Optimus Vu
LG-F120K  LG Optimus Vu
LG-F120L  LG Optimus LTE Tag
LG-F120S  LG Optimus LTE Tag
LG-F160K  LG Optimus LTE 2
LG-F160L  LG Optimus LTE 2
LG-F160LV LG Optimus LTE 2
LG-F160S  LG Optimus LTE 2
LG-F180K  LG Optimus G
LG-F180L  LG Optimus G
LG-F180S  LG Optimus G
LG-F200K  LG Optimus Vu 2
LG-F200L  LG Optimus Vu 2
LG-F200S  LG Optimus Vu 2
LG-F240K  LG Optimus G Pro
LG-F240L  LG Optimus G Pro
LG-F240S  LG Optimus G Pro
LG-F260K  LG Optimus LTE 3
LG-F260L  LG Optimus LTE 3
LG-F260S  LG Optimus LTE 3
LG-L21    LG Optimus G
LG-LG870  LG (Unknown)
LG-LS860  LG Mach
LG-LS970  LG Optimus G
LG-P760   LG Optimus L9
LG-P769   LG Optimus L9
LG-P780   LG Optimus L7
LG-P875   LG Optimus F5
LG-P875h  LG Optimus F5
LG-P880   LG Optimus 4X HD
LG-P940   LG Prada
LG-SU540  LG Prada 3.0
LG-SU870  LG Optimus 3D Cube
LG-US780  LG Lollipop
Potentially other devices as well.


Product Information:

"Backup" and "spritebud" are a setting and application backup/restore
system written by Sprite Software and deployed on LG Android smartphones.
"Backup" is the end user front end app, and "spritebud" is the service that
preforms the backup and restore functions.


Details:

The "spritebud" daemon is started by the init scripts and runs as the root
user. Listening on a unix socket, the daemon accepts instructions from the
"Backup" app. Using a crafted backup, we can write to, change permission
and change ownership of any file, being that "spritebud" is running under
the root user.


The crafted backup contains restore data for our exploiting application,
"com.cunninglogic.lgpwn". The data includes a 50mb dummy file (a) used to
increase our exploit window, su binary (b), a script (c) to install su, and
a text file (d) containing the path to our script. All files are owned by
the application, and are world write/read/execute. All files are restored
in alphabetical order. The entire backup, after compress, is approximately
2mb. The structure of this backup is as follows:


drwxrwxrwx u0_a114  u0_a114           2013-05-28 20:13 files


./files:
- -rwxr-xr-x u0_a114  u0_a114  52428800 2013-05-22 20:06 a
- -rwxr-xr-x u0_a114  u0_a114     91992 2013-05-22 20:07 b
- -rwxr-xr-x u0_a114  u0_a114       251 2013-05-22 20:12 c
- -rwxr-xr-x u0_a114  u0_a114        42 2013-05-22 20:07 d


Prior to restoration, our exploit app runs, watches the process and waits.
During restoration, the spritebud daemon first creates the files directory,
then sets it's permission and owner. Next it decompresses and restores the
"a" file, our 50mb dummy files. During the restoration of "a", our exploit
application has time to symlink "d", our text file containing the full path
to our script (c), to /sys/kernel/uevent_helper. Upon restoration of file
"d", our path is written to uevent_helper. When a hotplug even occurs
(which occur every few seconds), the path contained in uevent_helper is
execute by the kernel and our script (c) is executed and installs the su
binary (b).

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Telnet-Ftp Service Server 1.0
·Baby FTP Server 1.24 - Denial
·MoinMoin twikidraw Action Trav
·ZPanel zsudo Local Privilege E
·Seowonintech Devices - Remote
·Novell Client 2 SP3 nicm.sys L
·AudioCoder 0.8.22 - Direct Ret
·FreeBSD 9 Address Space Manipu
·PEiD 0.95 Memory Corruption
·PHP Charts 1.0 Remote Code Exe
·FreeBSD 9.0+ Privilege Escalat
·PCMan's FTP Server 2.0 Directo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved