From 42ee93a278a777a6150729319eef30af2f7b6b2c Mon Sep 17 00:00:00 2001 From: Giulio Date: Sun, 1 Nov 2020 20:26:56 +0100 Subject: [PATCH] Added CVE ids --- Readme.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Readme.md b/Readme.md index c7bc8a4..68014df 100644 --- a/Readme.md +++ b/Readme.md @@ -24,6 +24,12 @@ Other models might be running ProlinOS too but their specification is not detail For this research, I have bought a S900 from eBay and was lucky enough to find a used model targeted at developers. I will specify when something applies only to the developer model and not the production ones, although very little differs in terms of vulnerabilities. +### CVEs + + * Arbitrary read/write - CVE-2020-28044 + * ELF signature bypass - CVE-2020-28045 + * Root privesc - CVE-2020-28046 + ### Pictures ![PAX S900 from eBay](https://git.lsd.cat/g/pax-pwn/raw/master/images/s900.jpg) @@ -174,17 +180,17 @@ bcm5892_rtc 4938 0 ``` ## Vulnerabilities -### Arbitrary Read/Write +### Arbitrary Read/Write (CVE-2020-28044) As described in the "Communication" section, it is possible to list, read and write file and folders with `MAINAPP` permissions via XCB. -### Signature Bypass and Code Execution +### Signature Bypass and Code Execution (CVE-2020-28045) Although ELF files need to be signed in order to be executed (later we'll see how), libraries apparently do not. This means that it is possible to run custom executables without issues, given that we have a working shell and `LD_PRELOAD` is working or that, even without a shell, we can overwrite a library in use by some application. `installer`, which is the executable being called by `xcbd` (the `xcb` daemon server, like `adbd`) is responsible for verifying binary files before adding them. This does not mean that the kernel doesn't check again (it does) but means that ELF signature verification is available via userspace and is provided by a kernel module. It simply opens the device `/dev/verify`, uses some `ioctl` calls and send the executable file. Depending on the `ioctl` results it is possible to determine if a binary file has been correctly signed. As per the signature format, it's possible to guess that it is simply made by an RSA 2048 signature appended at the end of the file plus the string `SIGNED_VER:00001`. -### Privilege Escalation +### Privilege Escalation (CVE-2020-28046) By looking into the device, there are mainly two possible vectors of privilege escalation which are: * The outdated kernel is vulnerable to [dirtycow](https://dirtycow.ninja/) and many other kernel exploits