I got this interesting Tweet this morning from Ken Tindell @kentindell I decided to check what is this about and expand the message then LMAO! David Manouchehri @DaveManouchehri found interesting code in the Allwinner GitHub What does this means? If string “rootmydevice” pass through sunxi_debug process it assigns you root privileges. My first though was who the hell will use the original extracted from Android Linux Kernel 3.4 made by Allwinner which contains binary blobs, when there is completely Free Open Source alternative developed by Linux-Sunxi community? This patchset is for Allwinner A83T and Banana Pi M3's Ethernet support. The first and third patches are for A83T -- the first one enables the sun8i_emac driver to be built on A83T, and the third one adds a stub DT node. The second patch is for all EMACs supported by sun8i_emac, which sets the TX/RX delay. David Manouchehri @DaveManouchehri found interesting code in the Allwinner. Drivers and stuff taken from Allwinner’s. For H3/A83T last year (not. Allwinner A83t DriversAnd while thinking on it, scrolling down I found this: some guy decided to try it on his Orange Pi – you see the result, he got root access to the device by simple echo command! And this is put with non-conditional flags i.e. Embedded always in the kernel you can’t remove it! If the guys from Allwinner were smart enough they would at least hide this in the binary blobs, so no one could see it! This is just yet another example what you are exposed to when use kernels which are with binary blobs inside, not speaking of the security quality of the code which Allwinner developers produce! Drivers Allwinner A33Drivers Allwinner A20Fortunately we use Linux-Sunxi community kernel which is 100% open source and no binary blobs! (well if you want hardware acceleration GPU drivers are still with binary blobs and no one knows what is inside, but this looks like heap of works and no one is interested to liberate them so far). Here is what OLinuXino Kernel responds on the same command: What does this means? All devices which run Allwinner Linux Kernel 3.4 are subject to this backdoor security flaw and you can easily gain root access on any on them! BTW: You should keep in mind that the kernel tree you’re referring to (‘Linux-Sunxi community kernel which is 100% open source’) contains hardware drivers and stuff taken from Allwinner’s BSP kernel 3.4.39 released a few years ago. So while _this_ specific local privileges escalation is not possible with the sun7i 3.4.103 kernel you use the drivers might hide other unwanted ‘surprises’. Switching to mainline kernel is the better alternative for most use cases in the meantime.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2018
Categories |