fugu Posted March 4, 2015 Share Posted March 4, 2015 So in the wake of android malware that is reliant on a phone being rooted, I'm looking at alternatives for the su program, which IMO is main source for root access. Looking at the su.c source code, I thought it might be easy to add a little bit of code to create a hard-coded password, that would slow malware that relied on su for functionality. //$ gcc -o sha1_sample1 sha1_sample1.c -lcrypto //$ ./sha1_sample1 //password> password //[+] Continue with program... //$ ./sha1_sample1 //password> wrong //./sha1_sample1: permission denied #include <stdio.h> #include <stdlib.h> #include <string.h> #include <openssl/sha.h> #define OK 0 #define NO_INPUT 1 #define TOO_LONG 2 static int getLine (char *prmpt, char *buff, size_t sz) { int ch, extra; // Get line with buffer overrun protection. if (prmpt != NULL) { printf ("%s", prmpt); fflush (stdout); } if (fgets (buff, sz, stdin) == NULL) return NO_INPUT; // If it was too long, there'll be no newline. In that case, we flush // to end of line so that excess doesn't affect the next call. if (buff[strlen(buff)-1] != '\n') { extra = 0; while (((ch = getchar()) != '\n') && (ch != EOF)) extra = 1; return (extra == 1) ? TOO_LONG : OK; } // Otherwise remove newline and give string back to caller. buff[strlen(buff)-1] = '\0'; return OK; } int main(int argc, char **argv) { unsigned char digest[SHA_DIGEST_LENGTH]; SHA_CTX ctx; char* string; char salt[] = "areallylongsalt"; char buff[40]; int i, rc; rc = getLine ("password> ", buff, sizeof(buff)); if (rc == NO_INPUT) { // Extra NL since my system doesn't output that on EOF. printf ("\n"); fprintf(stderr, "%s: permission denied\n", argv[0]); return 1; }else if (rc == TOO_LONG) { fprintf(stderr, "%s: permission denied\n", argv[0]); return 1; } string = malloc(strlen(salt)+1+sizeof(buff)); strcpy(string, buff); strcat(string, salt); //printf("%s\n", string); SHA1_Init(&ctx); SHA1_Update(&ctx, string, strlen(string)); SHA1_Final(digest, &ctx); //char mdString[SHA_DIGEST_LENGTH*4+1]; //for(i = 0; i < SHA_DIGEST_LENGTH; i++){ // sprintf(&mdString[i*4], "\\x%02x", (unsigned int)digest[i]); //} //printf("SHA1 digest: %s\n", mdString); //passwordareallylongsalt //SHA1 digest: \x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22 if(strncmp(digest, "\x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22", 20) != 0){ printf("%s: permission denied\n", argv[0]); return 1; } printf("[+] Continue with program...\n"); return 0; } Quote Link to comment Share on other sites More sharing options...
cooper Posted March 4, 2015 Share Posted March 4, 2015 Why not simply rename 'su' so 'mysu' and write a script called su containing the following: #!/bin/sh echo "Piss off, will ya!" Quote Link to comment Share on other sites More sharing options...
fugu Posted March 4, 2015 Author Share Posted March 4, 2015 (edited) well because mysu would still be a gapping security hole. I wanted something that would only function if you had the correct password. If someone were to get a user shell on the phone, they might be able to figure out security through obscurity. Edited March 4, 2015 by fugu Quote Link to comment Share on other sites More sharing options...
cooper Posted March 4, 2015 Share Posted March 4, 2015 (edited) But doesn't su use pam to demand credentials of some sort for non-whitelisted commands, or is that only on PCs these days because people found it too bothersome on their phone? In other words, is su in fact a gaping security hole, or is it simply being built/configured wrong? Edited March 4, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
fugu Posted March 6, 2015 Author Share Posted March 6, 2015 idk of pam for android, but I'm still pretty new to the OS. I do know that messing around with and testing an android shell, it never asks me for a password. I've heard that android has things like iptables, but I havn't gotten there yet. I'd be real nice if it worked just like a full blown PC, which is what I'm most familiar with. (BTW the android source for su.c is at https://android.googlesource.com/platform/system/extras/+/master/su/su.c, i didn't see any mention of pam, not sure if it'd be there anyway, but it does some checking of the UID) Quote Link to comment Share on other sites More sharing options...
cooper Posted March 6, 2015 Share Posted March 6, 2015 (edited) It depends upon the setuid + setgid functions which have been severely restricted in Android 4.3 so the best solution by far seems to be to upgrade your Android. Is the 'login' program present? Since you could simply force a re-login as root as your only means to gain root. Edited March 6, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.