IMCAFS

 Home

android security team

Posted by santillano at 2020-02-27
all

There are many articles about Android root on the Internet. The @ Android security team mainly collates and analyzes these contents for your convenience. The main reason why the mobile phone needs root is that many operations of the system can only be performed with root permission. For example: to delete some applications of the system, open some limited functions, use some mobile phone management software, etc.

For root analysis, we need to understand the control of Linux on permissions. In Linux system, the access rights of files or directories are divided into three types: read, write and executable. There are three types of users who can access files or directories: File owners, users in the same group, and other users. The owner is generally the creator of the file. The owner can allow users in the same group to have access to the file, and can also give access to the file to other users in the system.

In general, only the user who has granted read, write and execute permission can operate on it. However, there is a super user root in the system, whose uid and GID are 0. It has the highest permission of the system and can operate on any file, process and resource without authorization. As for the implementation of Android phone root, it is actually to obtain this permission, so that we can modify the phone at will, which will bring great risks.

Let's see how to get root permission. The root of mobile phone usually puts the Su executable program under / system / bin or / system / xbin through some vulnerabilities of mobile phone. As for using vulnerability methods, such as constantly fork process to overflow uid, or using busybox permission settings are not equal, of course, these methods can not be used now, someone will continue to research new methods for root, this part will not be analyzed in detail, and it is necessary to search corresponding root methods on the Internet for specific mobile phones.

If you want to compile the Su executable by yourself, you should pay attention to that the default Su executable does not provide root access to the app, mainly because the code is limited, as follows:

int main(int argc, char **argv)

{

   struct passwd *pw;

   int uid, gid, myuid;

   myuid = getuid();

   if (myuid != AID_ROOT && myuid !=AID_SHELL) {

       fprintf(stderr,"su: uid %d not allowed to su\n", myuid);

       return 1;

}

...

The check for the user ID needs to be commented out, otherwise only the shell user can obtain the root permission.

-rwsr-sr-x root    root      105764 2012-09-11 14:39 su

Another thing to note is that the permissions of Su process should be set to 6777 using Chmod. The previous 6 represents the permissions given to setuid and setgid. In this way, any process that executes Su command will change the process into root user and root group, so that it has root permissions.

   execlp("/system/bin/sh", "sh", NULL);

This code is executed at the end of main function of Su process, which is easy for shell users to understand. After running Su, they return to a shell environment. If for a process, we need to write the command into the standard input stdin of the process, then we can execute it with root permission.

Now there is a way to get the root permission. For the shell user logged in by ADB, as long as the Su command is executed, it can switch to the root user, which is more convenient to use. Next, let's see how the application uses root permission. App will first execute the Su command using the runtime environment. After the app is started, the process is waiting for the command to execute, which requires sending the command to the process with root permission for execution. Here is an implementation code excerpted from the Internet:

Try {

   //Preform su to get root privledges  

   p =Runtime.getRuntime().exec("su");   

   //Attempt to write a file to a root-only  

  DataOutputStream os = newDataOutputStream(p.getOutputStream());  

  os.writeBytes("echo \"Do I have root?\">/system/sd/temporary.txt\n");  

   //Close the terminal  

  os.writeBytes("exit\n");  

   os.flush();

}

This code implements the execution of Su process, obtains root permission, then obtains dataoutputstream, and finally writes the command, that is, it can execute with root permission. It is worth noting that the permission of APP process has not changed while executing these commands.

© 2023