HTC One x at & amp; T Root Vulnerability

The HTC One X AT&T 1.85 firmware and earlier versions are preinstalled with an ATT Ready2Go application, which runs as a system user, with the function of setting wifi, importing contacts, changing wallpapers, and installing applications, we can exploit this vulnerability to obtain the Root permission of the device. I. vulnerabilities and exploitation details vulnerabilities appear in the Ready2Go application installation process. The complete procedure of Ready2Go to install the application is as follows: 1. When you first install the application through Read2Go, Read2Go creates the download directory "/data/install" and runs "chmod 777/data/install ", grant rwx permissions to all users. 2. When you install an application through this program, Read2Go downloads the application to the "/data/install" directory, run "chmod 666/data/install/<apkfilename> ". 3. After the download is complete, Read2Go starts to install the Downloaded Program and deletes the downloaded apk file. The complete process for obtaining Root permissions by using this vulnerability is as follows: 1. Check whether the "/data/install" directory exists. If it does not exist, you can use Ready2Go to download and install any application to create this directory. 2. Select an application with a registered package name, such as mongocom.att.android.markthespot.apk, and then use the following command to establish a soft connection to the "/data/local. prop" file. Adb shell ls-s/data/local. prop/data/install/com.att.android.markthespot.apk 3. Download the selected application through Ready2Go, because/data/install/com.att.android.markthespot.apk is/data/local. the soft connection of the prop file. Ready2Go is used to download the file/data/local. prop file (Read2Go has the system permission and can operate/data/local. prop file),/data/local. the prop is changed to global read/write. 4. Run the adb reboot command to interrupt the Read2Go installation process and block the apk deletion operation after successful Read2Go installation. 5. After the device is restarted,/data/local. prop will be left as globally readable and writable. Adb shell "echo 'ro. kernel. qemu = 1'>/data/local. prop "adb reboot6. After the device restarts, due to ro. kernel. qemu = 1, so adb does not drop the permission, so that the adb shell connects to the device and gets the shell Running as root. (During device startup, the system loads/data/local. prop configuration file to set system properties. adb initially runs as root, and then calls setuid () to reduce permissions. Before downgrading, the system determines the system property ro. kernel. qemu. If this property bit is 1, the downgrading is not performed .) Ii. References http://www.androidpolice.com/2012/05/25/exclusive-how-to-root-the-att-htc-one-x-on-version-1-85-or-earlier/