615 replies to this topic

[SamuriHL]

That's not true at all.  You push the files once.  They are there every time.  You just execute the run.sh script and root is golden.  However, I'm told this root exploit definitively will not work on these builds so it's of no help.

[ibolski]

That's not true at all.  You push the files once.  They are there every time.  You just execute the run.sh script and root is golden.  However, I'm told this root exploit definitively will not work on these builds so it's of no help.

Sorry about that. I must have misread what the OP stated when he posted about this exploit. Okay. Well that would have been better, so you only had to "tether" once, to push the files to the phone.

 

Gotcha.

 

Yeah, still too bad it didn't work.

[livinginkaos]

Yeah I had jcase on hangouts. We did some digging and the patch that they applied in the coming 4.4.3 builds is present in the 4.4.2 build on the xt907 and xt926.

Sent from my S-Offed One M8

[SamuriHL]

Sorry about that. I must have misread what the OP stated when he posted about this exploit. Okay. Well that would have been better, so you only had to "tether" once, to push the files to the phone.

 

Gotcha.

 

Yeah, still too bad it didn't work.

 

Technically this is still wrong.    If you had the zip file on your phone you could extract it and push the files in place through terminal.  No ADB required.  

[SamuriHL]

Yeah I had jcase on hangouts. We did some digging and the patch that they applied in the coming 4.4.3 builds is present in the 4.4.2 build on the xt907 and xt926.

Sent from my S-Offed One M8

 

I appreciate the effort from both of you for testing this.  I know this is going to get me called "naysayer" and piss off the "dreamers" more, but, given this development root for these devices went from unlikely to REALLY unlikely.

[ibolski]

Man, it would be nice for those with locked devices to get root. Then we won't get all the "can I root my Kit Kat phone?" questions all the time! 

[SamuriHL]

Man, it would be nice for those with locked devices to get root. Then we won't get all the "can I root my Kit Kat phone?" questions all the time! 

 

Yes we would.  We'd just be able to point them to it.  Unfortunately, I don't think it's going to happen any time soon if ever.  

[SamuriHL]

Please Login or Register to see this Hidden Content

 

Another possible Linux kernel priv escalation bug.  I do not know if Android is impacted by it or whether it's been patched, but, one of the root demi-gods could potentially find a way to exploit this if it's in Android.

[xKroniK13x]

Please Login or Register to see this Hidden Content

 

Another possible Linux kernel priv escalation bug.  I do not know if Android is impacted by it or whether it's been patched, but, one of the root demi-gods could potentially find a way to exploit this if it's in Android.

 

Looking at the released source code for the kernel update, it appears that it is not patched - or at least not patched following the instructions in the bug-reports. The problem is that you must first right the code you want to execute to a memory address, and this bug will then let you execute it. It is accessible via Chrome sandbox on Linux, which means it may be accessible using some sort of custom Android app. I imagine if it was this "easy," someone would have exploited this by now... but I am researching it. I have novice Linux knowledge, but if anything, it will be a good learning experience.

[SamuriHL]

Looking at the released source code for the kernel update, it appears that it is not patched - or at least not patched following the instructions in the bug-reports. The problem is that you must first right the code you want to execute to a memory address, and this bug will then let you execute it. It is accessible via Chrome sandbox on Linux, which means it may be accessible using some sort of custom Android app. I imagine if it was this "easy," someone would have exploited this by now... but I am researching it. I have novice Linux knowledge, but if anything, it will be a good learning experience.

 

Nice!  Good luck with your research.  If you get stuck on something, maybe PM JCase and see if you can bounce some ideas off him.  He may or may not be open to that I don't know....but it's worth a shot.

[digdug1]

Good luck!

[xKroniK13x]

So I've been researching more, but haven't had time to attempt to code anything... but here are my findings.

 

You can execute kernel commands via an Android application. It is generally used for things like System Tweaker, however, you should be able to access other commands than the init scripts, it's just calling a different file.

 

You cannot write code to be executed to a physical memory address (directly on the RAM) in Java, which is where this exploit needs to read from. Java uses a Java Virtual Machine (JVM) to manage the memory used within the app, for security reasons. This means that the app cannot be written in Java, which is what I'm most fluent in. I'm researching into language alternatives, as the app doesn't have to do anything but execute a couple of commands, and write a few lines of output.

 

I'll keep this thread updated with what I figure out this weekend. I'm still considering this just a theory, but it does still seem plausible.

[SamuriHL]

I suspect you can do it in C/C++ fairly trivially.

 

Please Login or Register to see this Hidden Content

 

That should get you set up.  While I've not done ANY programming on Android at all, I'm fluent in java, c, c++, and a variety of other languages so if you need help with something, hit me up in a PM and I'll see what I can do.  Looks like the exploit is alive on the S5, as well.

 

Please Login or Register to see this Hidden Content

 

GeoHot is well known in some circles.  He knows his stuff.  Maybe you can write it in such a way that it works on all the devices out there.  LOL

[xKroniK13x]

I suspect you can do it in C/C++ fairly trivially.

Please Login or Register to see this Hidden Content

That should get you set up. While I've not done ANY programming on Android at all, I'm fluent in java, c, c++, and a variety of other languages so if you need help with something, hit me up in a PM and I'll see what I can do. Looks like the exploit is alive on the S5, as well.

Please Login or Register to see this Hidden Content

GeoHot is well known in some circles. He knows his stuff. Maybe you can write it in such a way that it works on all the devices out there. LOL

Very good reads. I know of Geohot from when he jailbroke the PS3. very cool to see him still active, and very cool to see that a proof of concept has been achieved. I do believe that a well written app could be executed on a variety of phones that have this kernel exploit, which seems to be the bulk of them, since it is so new and listed as a not high priority threat... Time to start experimenting!

Sent from my XT907 using Tapatalk

[SamuriHL]

Just know that it HAS been patched in 4.4.3.  But yea, if a generic exploit were written similar to Saferoot, a LOT of people would be very happy.  So, good luck.  

[Playb3yond]

Patiently waits

Motorola Droid Razr Maxx HD

[SamuriHL]

Realistically, you may have quite some time to wait.  It's also possible that whatever exploit ends up being created for the S5 for whatever reason may not work on these phones.  I'd call for cautious optimism on this one.

[xKroniK13x]

Realistically, you may have quite some time to wait.  It's also possible that whatever exploit ends up being created for the S5 for whatever reason may not work on these phones.  I'd call for cautious optimism on this one.

 

I tend to agree 100% with you. I see no reason why this hole in the kernel wouldn't work, but who knows realistically how hard this will be to exploit.

[SamuriHL]

I tend to agree 100% with you. I see no reason why this hole in the kernel wouldn't work, but who knows realistically how hard this will be to exploit.

 

That's the trick.  I don't know enough about the exploit, but, it seems like there could be complications getting it to be generic.  I mean, look at JCase's implementation...works only on the X, Mini, Maxx, and Ultra.  So, we have no guarantee that any new implementation is going to work on anything but the phone it was designed for.

[SamuriHL]

Please Login or Register to see this Hidden Content

 

More news on the Pinkie Pie vulnerability.  Looks like someone is going to be looking into it soon.  Keep your fingers crossed.  LOL