Privilege Escalation Analysis for Android system vulnerabilities

Privilege Escalation Analysis for Android system vulnerabilities

(1) Preface

1.1 What is root
Root -- that is, the Elevation of Privilege of the system mentioned here. It is usually used for Android mobile phones, so that users can obtain the superuser permissions of the Android operating system. Root is usually used to help users bypass the restrictions of mobile phone manufacturers, so that users can uninstall some apps pre-installed by mobile phone manufacturers in mobile phones and run applications that require super user permissions. The root of Android is similar to the jailbreak of Apple iOS.

1.2 How to Implement root
Generally, there are two root Methods: one is to fl the root package in recovery mode, and the other is to use system-layer vulnerabilities (application-layer vulnerabilities or kernel vulnerabilities) to escalate root privileges, the following article briefly introduces how to use system vulnerabilities for root privilege elevation.
The root effect can be simply divided into two types: one is to obtain root permissions only for its own processes; the other is to obtain root permissions for both its own programs and other programs.

(2) Basic knowledge

2.1 File Permissions

In the system, the file access permission is controlled by the user ID (UID) and user group ID (GID.
Each user is assigned a UID, and all users are divided by group. Each user group is assigned a GID. Note that a user can belong to multiple user groups.
Each file in Linux has three permissions: Read, Write, and Execute. These three permissions are divided into three groups by user attributes: Owner, Group, and Other.

2.2 process UID
 
By default, the UID of the process is equal to the UID of the process that created it, that is, the UID of the parent process. The first process is the init process. The kernel is created after startup, and the UID is root. Other processes are directly created by the init process or indirectly by the Child process of the init process. After a parent process is created (fork), you can call setuid to change its UID.

(3) setresuid Elevation of Privilege

3.1 Technical Background
Setresuid (, 0) can be used to set the EUID of a process to escalate permissions to the current process. However, normal users cannot extract data directly because of the following reasons:

The figure above corresponds to some code information of setresuid in the kernel file. Through analysis, we can find that the function will check the caller's permissions before the setresuid is actually performed, such as the content in the red box, when the call permission is met, the R0 value is #0. For calls by common users, R0 is a non-zero value. Therefore, if we change the compared object #0 to a non-zero value, the setresuid can be successfully called to set the position.
At this point, we need to solve the problem of how to modify the kernel file by using setresuid For Elevation of Privilege. Steps:
Step 1: Find the virtual address of the target code
Step 2: Find the physical address of the target code
Step 3: Use the vulnerability to modify the Kernel File
Step 4: Call setresuid (0, 0, 0) to raise the permission

3.2 search for Code Location
① Drag the kernel imgfile from the mobile phone (you can also find the matching refresh and obtain it directly from it)

② Export the imgfile to the PC and use binwalk to analyze the imgfile

Generally (experience is not necessarily 100% accurate) We think that the first long gzip segment is the kernel file.
③ Extract kernel from imgfile using dd

④ Locate the code location to be modified from the Kernel File
If we directly drag the extracted file to IDA, we cannot find setresuid, because we lack a symbolic table -- kallsyms:

Here we get kallsyms under root. Due to space restrictions, we will not introduce how to get kallsyms without root permission. You can find it by yourself.
After importing kallsyms, you can use the extension plug-in to load it, and then find the corresponding function in IDA to determine the virtual address (0xC009D12C) of the function in the kernel file ), offset of the target code to the start address of the kernel = 0xC009D12C-0xC0000000 = 0x9D12C.
⑤ Obtain the physical address of the target code
The starting physical address of the kernel:

Physical address of the target code: phaddr = 0x8600000 + 0x9D12C

3.3 search for Elevation of Privilege Vulnerabilities
Here we take an mmap Elevation of Privilege Vulnerability in Huawei mt2_u071 as an example.
Scan the entire mobile phone File System to discover suspicious files:

This file lists the rwx permissions of the other application as suspicious objects.
In another file/kerneldrivers/hisi/hifidsp/hifi_lpp.c:

Through analysis, we found that phys_page_addr is a fixed value 0x05a00000. Combined with the definition of the remap_pfn_range function, we know that phys_page_addr is a physical address, so the above Code can write data to a fixed physical address.
Further analysis shows that the file_operations structure in the current file is hifi_misc_fops, in which the mmap function is redirected to the hifi_misc_mmap function.
 

Here we will give a brief summary:
The mmap function can be called at will. Based on our requirements (modify data on the specified physical address), the address to be written is protected and requires high permissions. Then the "suspicious object"/dev/hifi_misc found above will be able to send a threat at this time.
On the physical address, the offset of the target code relative to phys_page_addr is 0x8600000 + 0x9d12c-0x5a00000

3.4 vulnerability elevation code

At this point, the current process has the root permission.