View
428
Download
4
Category
Preview:
Citation preview
Hacking
with
style
‘94
‘97
‘03
‘14
‘16
‘12
Who am I ?
Is it ?!
11 days later..
White WhiteLocal
Root
Remote
Root
Remote Root
Which Root ?
{XDA}
{Finch}
{Zerodium}
Howto Root ? Finch Style
• Qualcomm CVE-2015-0570• Broadcom CVE-2016-0801 *• MediaTek CVE-2016-2453
Needed • Find the execution path• Prepare PoC
CVE-2016-0801 Execution Path
• char devname[100];• wl_validate_wps_ie()• wl_cfg80211_add_set_beacon()• struct wl_cfg80211_ops = {• .set_beacon =
wl_cfg80211_add_set_beacon• .add_beacon =
wl_cfg80211_add_set_beacon
PoC • Probe Respone Packet
CVE-2016-0801
PoC • Probe Respone Packet
CVE-2016-0801
CVE-2016-0801 Result
• Nexus 5 , Samsung S5, Note5, … ???• DO NOT forget to check IF-ELSE blocks!• wl_cfg80211.c line #7728#if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0))
.set_beacon = wl_cfg80211_add_set_beacon,
.add_beacon = wl_cfg80211_add_set_beacon,#else
.change_beacon = wl_cfg80211_change_beacon,
.start_ap = wl_cfg80211_start_ap,
.stop_ap = wl_cfg80211_stop_ap,#endif
drivers/net/wireless/bcmdhd/wl_cfg80211.c • wl_cfg80211_change_beacon()
CVE-2016-0801
OthersQualcomm Adreno GPU MSM Driver Heap Overflow • No CVE assigned• (mis)security t = min_t(int, group-
>reg_count, count);• buf = kmalloc(t * sizeof(unsigned int),
GFP_KERNEL);• Bug added June 2014 Bug patched July 2015
(!)• Samsung S5 Avea inTouch
OthersQualcomm MSM Debugfs Arbitrary Write• CVE-2016-2443• /sys/kernel/debug/mddi/reg -rw-r--r-- root root• Root ≠ Root• SELinux context
Nopcon Specials
• Ebook about KASLR (Turkish)
• WPS Probe Response Packet Generator (Github)
(CVE-2016-0801 - PoC)
• Links? Follow @abd_sec
Thanks !---------
Questions ?
@abd_sec@kyabd
Recommended