Home Explore Help
Sign In
g
/
pax-pwn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Added CVE ids

Giulio 3 years ago
parent
ee0f023df1
commit
42ee93a278
1 changed files with 9 additions and 3 deletions
Split View Show Diff Stats
  1. 9 3
      Readme.md

+ 9 - 3
Readme.md
View File 

@@ -24,6 +24,12 @@ Other models might be running ProlinOS too but their specification is not detail
 
 

 For this research, I have bought a S900 from eBay and was lucky enough to find a used model targeted at developers. I will specify when something applies only to the developer model and not the production ones, although very little differs in terms of vulnerabilities.

 

+### CVEs

+

+ * Arbitrary read/write - CVE-2020-28044

+ * ELF signature bypass - CVE-2020-28045

+ * Root privesc - CVE-2020-28046

+

 ### Pictures

 ![PAX S900 from eBay](https://git.lsd.cat/g/pax-pwn/raw/master/images/s900.jpg)

 

@@ -174,17 +180,17 @@ bcm5892_rtc             4938  0
 
 ```

 

 ## Vulnerabilities

-### Arbitrary Read/Write

+### Arbitrary Read/Write (CVE-2020-28044)

 As described in the "Communication" section, it is possible to list, read and write file and folders with `MAINAPP` permissions via XCB.

 

-### Signature Bypass and Code Execution

+### Signature Bypass and Code Execution (CVE-2020-28045)

 Although ELF files need to be signed in order to be executed (later we'll see how), libraries apparently do not. This means that it is possible to run custom executables without issues, given that we have a working shell and `LD_PRELOAD` is working or that, even without a shell, we can overwrite a library in use by some application.

 

 `installer`, which is the executable being called by `xcbd` (the `xcb` daemon server, like `adbd`) is responsible for verifying binary files before adding them. This does not mean that the kernel doesn't check again (it does) but means that ELF signature verification is available via userspace and is provided by a kernel module.

 

 It simply opens the device `/dev/verify`, uses some `ioctl` calls and send the executable file. Depending on the `ioctl` results it is possible to determine if a binary file has been correctly signed. As per the signature format, it's possible to guess that it is simply made by an RSA 2048 signature appended at the end of the file plus the string `SIGNED_VER:00001`.

 

-### Privilege Escalation

+### Privilege Escalation (CVE-2020-28046)

 

 By looking into the device, there are mainly two possible vectors of privilege escalation which are:

  * The outdated kernel is vulnerable to [dirtycow](https://dirtycow.ninja/) and many other kernel exploits