Hacking

with

style

‘94

‘97

‘03

‘14

‘16

‘12

Who am I ?

Is it ?!

11 days later..

White WhiteLocal

Root

Remote

Root

Remote Root

Which Root ?

{XDA}

{Finch}

{Zerodium}

Howto Root ? Finch Style

• Qualcomm CVE-2015-0570• Broadcom CVE-2016-0801 *• MediaTek CVE-2016-2453

Needed • Find the execution path• Prepare PoC

CVE-2016-0801 Execution Path

• char devname[100];• wl_validate_wps_ie()• wl_cfg80211_add_set_beacon()• struct wl_cfg80211_ops = {• .set_beacon =

wl_cfg80211_add_set_beacon• .add_beacon =

wl_cfg80211_add_set_beacon

PoC • Probe Respone Packet

CVE-2016-0801

PoC • Probe Respone Packet

CVE-2016-0801

CVE-2016-0801 Result

• Nexus 5 , Samsung S5, Note5, … ???• DO NOT forget to check IF-ELSE blocks!• wl_cfg80211.c line #7728#if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0))

.set_beacon = wl_cfg80211_add_set_beacon,

.add_beacon = wl_cfg80211_add_set_beacon,#else

.change_beacon = wl_cfg80211_change_beacon,

.start_ap = wl_cfg80211_start_ap,

.stop_ap = wl_cfg80211_stop_ap,#endif

drivers/net/wireless/bcmdhd/wl_cfg80211.c • wl_cfg80211_change_beacon()

CVE-2016-0801

OthersQualcomm Adreno GPU MSM Driver Heap Overflow • No CVE assigned• (mis)security t = min_t(int, group-

>reg_count, count);• buf = kmalloc(t * sizeof(unsigned int),

GFP_KERNEL);• Bug added June 2014 Bug patched July 2015

(!)• Samsung S5 Avea inTouch

OthersQualcomm MSM Debugfs Arbitrary Write• CVE-2016-2443• /sys/kernel/debug/mddi/reg -rw-r--r-- root root• Root ≠ Root• SELinux context

Nopcon Specials

• Ebook about KASLR (Turkish)

• WPS Probe Response Packet Generator (Github)

(CVE-2016-0801 - PoC)

• Links? Follow @abd_sec

Thanks !---------

Questions ?

@abd_sec@kyabd