Someone ¤Ë¤Ä¤¤¤Æ¸ÀµÚ¤¹¤ëd to me that yesterday’s root for the Motorola XYBoard appeared to not work on the Xoom Family ÈÇ (FE), so I took a look. What I ÀßΩ¤¹¤ë was a »Ï¤á¤ë¡¤·è¤á¤ë of vulnerabilities so egregious that it’s hard to not draw comparisons to a ¿³µÄ¤¹¤ë¡¿½Ï¹Í¤¹¤ë backdoor.

Plagiarism for Íø±×¡Ê¤ò¤¢¤²¤ë¡Ë

After doing some ¸¦µæ on what’s been done on this ÁõÃÖ in the past, I ÀßΩ¤¹¤ë that it has ÌÀ¤é¤«¤Ë been rooted before, »öÁ°¤Î to the most ºÇ¶á¤Î OTA update. Someone by the »Ø̾¤¹¤ë of “Evil_DevNull” published a root °Î¶È¡¿ÍøÍѤ¹¤ë here, that appeared to take advantage of a Ì¿Îá¡Ê¤¹¤ë¡Ë Ãí¼Í vulnerability in a ¸ø¶¦»ö¶È¡ÊÎÁ¶â¡Ë¡¿Í­ÍÑÀ­ called “cmdclient”. He then proceeded to ·«¤êÊÖ¤·¤Æ request and receive Ä̲ߤΠ´óÉÕs. This would all be ȳ¶â (´óÉÕ¤¹¤ëing to developers is a good way to support their ¤µ¤â¤Ê¤±¤ì¤Ð ̤ʧ¤¤¤Î work), except Evil_DevNull seems to have ripped off the °Î¶È¡¿ÍøÍѤ¹¤ë used here to root the Acer Iconia A100, which is just a variation on an °Î¶È¡¿ÍøÍѤ¹¤ë published as “iconiaroot” here, authored by “sc2k”. Congratulations, Evil_DevNull, you’ve managed to Íø±×¡Ê¤ò¤¢¤²¤ë¡Ë by ripping off someone else’s °Î¶È¡¿ÍøÍѤ¹¤ë without credit!

Stupidest Root Ever?

Anyway, »Ù±ç¤¹¤ë to the fun stuff. After ³Îǧ¤¹¤ëing that cmdclient is Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd setuid root, I pulled up IDA and took a look at what it does. What I saw was so broken it was hard to believe.

The first few arguments cmdclient supports are “ec_recovery”, “ec_btmac”, “ec_snid”, “ec_skunumber”, and “ec_imeiwithbarcode”. Each of these Ì¿Îá¡Ê¤¹¤ë¡Ës builds a Ì¿Îá¡Ê¤¹¤ë¡Ë string using the second argument (such as “echo [arg] > /sys//EcControl/RecoveryMode”) and ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ës it using system(). These are all trivial Ì¿Îá¡Ê¤¹¤ë¡Ë Ãí¼Í vulnerabilities: something like “cmdclient ec_skunumber ‘; [my cmd];'” ºîÉÊ È³¶â to ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë ÆÈÃÇŪ¤Ê Ì¿Îá¡Ê¤¹¤ë¡Ës as root. Ok, ÁõÃÖ rooted, that was Ê¿°×¤Ê.

But one of the other cmdclient ÁªÂòs was so ridiculous that it’s hard to believe it isn’t a ¿³µÄ¤¹¤ë¡¿½Ï¹Í¤¹¤ë backdoor. “cmdclient sys_open” will À®¤·¿ë¤²¤ë a “chmod 777 /data” and “chmod 777 /¡ÊÉð´ï¤Ê¤É¤Î¡Ë±£Æ¿¾ì½ê”, ¤ÎÃæ¤Ç a few other things, which ÌÀÇò¤Ë ¼ê­¤òÉÔ¼«Í³¤Ë¤¹¤ë¡¿¡Êʪ»ö¤ò¡Ë»¤Ê¤¦s the °ÂÁ´ of the ÁõÃÖ and µö¤¹s ¿­¤Ó¡Ê¤ë¡Ëing root yet again. They might ƱÍÍ¤Ë ²þ̾¤¹¤ë the »ÈÍÑ¡¿Å¬ÍÑ “own_my_device_now”.

Download

If you’re a Xoom FE owner, you can download a Windows root script here or a Linux/OSX ¸«²ò¡¿ËÝÌõ¡¿ÈÇ here. Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë the appropriate Motorola drivers, connect your ÁõÃÖ ·Ðͳ¤Ç USB, Ãê½Ð¤¹¤ë the appropriate zip, and ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë “run.bat” (on Windows) or “run.sh” from a ½ªÅÀ (on Linux/OSX). Enjoy.

This Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë was ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd on Saturday, February 18th, 2012 at 5:20 pm and is ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ëd under Android, ³«È¯¡¿ÍøÍÑ. You can follow any ÊÖÅús to this Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë through the RSS 2.0 ÎÁ¶âd. Both comments and pings are ¸½ºß¡¿°ìÈÌ¤Ë ¤Î¶á¤¯¤Ëd.