Dear all. I found vulnerability in my source. It was buffer overflow attack in wlan driver.
Untrusted_app access to wlan driver and try to attack using buffer overflow in wlan_hdd_wext.c. Because of that, untrusted_app will get a root permission, and change init domain. Init domain will inject supolicy and change memory value in /sys/fs/selinux/ to permissive mode. I also found patch source. http://review.cyanogenmod.org/#/c/119801/2/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c Thank you. 2015-12-08 11:02 GMT+09:00 William Roberts <bill.c.robe...@gmail.com>: > > On Dec 7, 2015 5:34 PM, "심현용" <jonesn5...@gmail.com> wrote: > > > > Dear William and Staphen. > > > > Thank you for your reply. > > > > I understand when kernel execute init_exec will change kernel to init. > > > > Dear Stephen. > > > > My source already applied CVE-2015-3636 path, but it is still rooting by > KingRoot.apk > > > > I think it using another vulnerability. > > Kingroot attempts a bunch of vulnerabilities based on what the server > tells the app. So you got to have safe guards for all of them, ie security > patches. > > > > > I will check another CVE patch... > > > > Thanks for your recommend. > > > > > > Thanks > > > > > > 2015-12-08 0:42 GMT+09:00 Stephen Smalley <s...@tycho.nsa.gov>: > >> > >> On 12/07/2015 04:28 AM, 심현용 wrote: > >>> > >>> Daer all > >>> > >>> I have more question about setcon, setenforce. > >>> > >>> At Lollipop, init can use setcon, setenforce in init.rc's early-init > >>> like that.. > >>> > >>> on early-init > >>> # Set init and its forked children's oom_adj. > >>> write /proc/1/oom_score_adj -1000 > >>> > >>> # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect > calls. > >>> write /sys/fs/selinux/checkreqprot 0 > >>> > >>> # Set the security context for the init process. > >>> # This should occur before anything else (e.g. ueventd) is > started. > >>> *setcon *u:r:init:s0 > >>> > >>> But from M os, It was deleted. > >>> > >>> I think, if it was deleted, it would operate kernel domain. > >>> But, in M os, it was operated init domain. > >>> > >>> *In case of M OS, How to change domain kernel to init in init.rc except > >>> setcon u:r:init:s0 ?* > >>> Kingroot.apk using init domain by kernel's vulnerability, lt will > change > >>> untrusted_app to init domain, and than using setenforce and setcon. > >> > >> > >> In M, init was changed to re-exec itself to cause an automatic domain > transition rather than relying on setcon. Likewise, the setenforce call > was taken from init.rc to the init code. > >> > >> In any event, that isn't relevant to a kernel exploit; the kernel > exploit can just directly set the SID in the credential structure of the > current task to whatever SID it wants. See the CVE-2015-3636 poc for > example. > >> > >> > > > > > > _______________________________________________ > > Seandroid-list mailing list > > Seandroid-list@tycho.nsa.gov > > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. > >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
