It's Bugs All the Way É餫¤¹¡¿·âÄƤ¹¤ë

After getting a taste of ¤ä¤¸ tablets with the Lenovo Thinkpad tablet, I decided to turn my attention to the Sony Tablet S. It turned out to be a ·ø¤¤ ÁõÃÖ to root.

The Bug

The Sony Tablet S has a logging service running as root »Ø̾¤¹¤ëd nfx_log_service. This service »ý³¤¹¤ës on-disk backups of the Android logcat ¾×·â¤òϤ餲¤ë¤â¤Îs in the /¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë directory. This directory is group-writable and group “¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë”, which is ǧ¤á¤ëd to the ¥¢¥¸¥¢³«È¯¶ä¹Ô Çú·â¤¹¤ë, so we can ½¤Àµ¤¹¤ë ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës in this directory.

The logging service uses predictable filenames for its À¸»º¡Ê¹â¡Ë. ÆäË, “Kernel.txt”, “AndroidMain.txt”, “AndroidEvent.txt”, and “AndroidRadio.txt” are used. As you might ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ë, by ¼è¤Ã¤ÆÂå¤ï¤ëing these ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës with ¾ÝħŪ¤Ê links, it’s possible to ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë the logging service to either create a new ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing the contents of the appropriate ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë ¾×·â¤òϤ餲¤ë¤â¤Î, or if the symlink is in place at boot time, append the appropriate ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë ¾×·â¤òϤ餲¤ë¤â¤Î to an ¸ºß¤¹¤ëing ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. These ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës are created as root:root 0644, so once they are created we do not have the ability to »ÙÇۡʤ¹¤ë¡Ë¡¿ÅýÀ©¤¹¤ë their contents.

The Goal

ÉáÄ̤Ï, I’d go straight for victory by creating a symlink at one of the logfile ¾ì½ês (I chose “/¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë/AndroidRadio.txt“) to /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë and Îá¾õing “ro.kernel.qemu=1″ a whole bunch of times to the ̵Àþ¤ÇÄÌ¿®¤¹¤ë ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë. This would ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë to be created ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing the ro.kernel.qemu ½êͭʪ¡¿»ñ»º¡¿ºâ»º, so that when I reboot the ÁõÃÖ ¥¢¥¸¥¢³«È¯¶ä¹Ô runs as root and it’s game over.

Unfortunately, that doesn’t ¤ä¤á¤ë work here. The Sony Tablet S already has a /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, and worse, it’s ¸½¼Â¤Ë a symlink to /configs/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë. Since /configs is a read-only mountpoint, we won’t be able to overwrite this ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë. However, if we could ½üµî¤¹¤ë the ¸ºß¤¹¤ëing /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë, we could create a new ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë there that »Ï¤á¤ë¡¤·è¤á¤ës the ro.kernel.qemu ½êͭʪ¡¿»ñ»º¡¿ºâ»º and µö¤¹s us to ¾¡Íø¡¤¾¡¤Ä. But how can we use our logger vulnerability to ½üµî¤¹¤ë a ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë?

Trickiness

It turns out the Android °ì³ç ·Ð±Ä¼Ô¡¿»ÙÇÛ¿Í has an Íø±×¡¿¶½Ì£ing ¹Ô°Ù. °ì³çs have data directories at /data/data/[°ì³ç]/. Ordinary °ì³çs have a lib directory in the data directory for native libraries. However, system °ì³çs (like the ones Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd by Google or the OEM, in this »öÎã¡¿´µ¼Ô Sony) are not ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd to have libraries in this directory. If any system °ì³ç has ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës in its /data/data/[°ì³ç]/lib/ directory, those ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës are ºï½ü¤¹¤ëd on boot by the °ì³ç ·Ð±Ä¼Ô¡¿»ÙÇÛ¿Í. Interestingly, this ´Þ¤às ¤Ë°ú¤­Â³¤¤¤Æ symlinks. So if we can somehow ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë a system °ì³ç’s data folder to ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë a symlink at /data/data/[°ì³ç]/lib that points to /data, then the /data directory will be erased on boot, wiping out /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë and µö¤¹ing us to create a new one and ¿­¤Ó¡Ê¤ë¡Ë root.

Android ÁõÃÖs ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë a program called “run-as” that µö¤¹s the ¥¢¥¸¥¢³«È¯¶ä¹Ô Çú·â¤¹¤ë to assume the Æø¢s of any »ÈÍÑ¡¿Å¬ÍÑ that is ¼¨¤¹d as “debuggable”. This is ·èÄꤹ¤ëd by checking the /data/system/°ì³çs.̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, which ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës a ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of °ì³çs, their uids, the debuggable ´ú, and their data directories. For the °Î¶È¡¿ÍøÍѤ¹¤ë, we can Áª¤Ö any system »ÈÍÑ¡¿Å¬ÍÑ – I chose com.google.android.¾ì½ê.

We can use our logging vulnerability by creating a symlink at /¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë/AndroidRadio.txt that points to /data/system/°ì³çs.̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë, rebooting the ÁõÃÖ, and running a program that ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ës °ì³çs.̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë lines for a µ¶¤Î »ÈÍÑ¡¿Å¬ÍÑ that’s ¼¨¤¹d as debuggable with the same uid as this system »ÈÍÑ¡¿Å¬ÍÑ. For example, I used:

com.pwn.me 10026 1 /data/data/com.google.android.¾ì½ê

In this »öÎã¡¿´µ¼Ô, 10026 was the uid of com.google.android.¾ì½ê. This might ÊѲ½¤µ¤»¤ë based on ÁõÃÖ. At this point, the logging service appends this line to °ì³çs.̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë, and we can “run-as com.pwn.me”, at which point we have the Æø¢s of our system °ì³ç. We can then ¼è¤Ã¤ÆÂå¤ï¤ë the system °ì³ç’s lib directory with a symlink to /data, reboot the ÁõÃÖ, °Î¶È¡¿ÍøÍѤ¹¤ë the logger again to create a fresh /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ëing the line “ro.kernel.qemu=1″, and reboot again, at which point ¥¢¥¸¥¢³«È¯¶ä¹Ô is running as root and we can Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë su and Superuser.

The Final À½ÉÊ

A script that ¼«Æ°²½¤¹¤ës these steps on Windows is ÍøÍѤǤ­¤ë here. To run it, ³Î¼Â¤Ë¤¹¤ë your ÁõÃÖ is in USB debugging Êý¼°, connect it ·Ðͳ¤Ç USB, Ãê½Ð¤¹¤ë the zip, and run “run.bat”. Enjoy!

If you were ȼ¤¦¡¿´Ø¤ï¤ëd in raising a bounty for this °Î¶È¡¿ÍøÍѤ¹¤ë, ´óÉÕs can be made below.

This Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë was ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd on Wednesday, February 8th, 2012 at 2:43 pm and is ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ëd under Android, ³«È¯¡¿ÍøÍÑ. You can follow any ÊÖÅús to this Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë through the RSS 2.0 ÎÁ¶âd. Both comments and pings are ¸½ºß¡¿°ìÈÌ¤Ë ¤Î¶á¤¯¤Ëd.