Jump to content

Cellphone su that is more secure


fugu
 Share

Recommended Posts

So in the wake of android malware that is reliant on a phone being rooted, I'm looking at alternatives for the su program, which IMO is main source for root access. Looking at the su.c source code, I thought it might be easy to add a little bit of code to create a hard-coded password, that would slow malware that relied on su for functionality.

//$ gcc -o sha1_sample1 sha1_sample1.c -lcrypto
//$ ./sha1_sample1
//password> password
//[+] Continue with program...
//$ ./sha1_sample1
//password> wrong
//./sha1_sample1: permission denied
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/sha.h>

#define OK       0
#define NO_INPUT 1
#define TOO_LONG 2

static int getLine (char *prmpt, char *buff, size_t sz) {
    int ch, extra;

    // Get line with buffer overrun protection.
    if (prmpt != NULL) {
        printf ("%s", prmpt);
        fflush (stdout);
    }
    if (fgets (buff, sz, stdin) == NULL)
        return NO_INPUT;

    // If it was too long, there'll be no newline. In that case, we flush
    // to end of line so that excess doesn't affect the next call.
    if (buff[strlen(buff)-1] != '\n') {
        extra = 0;
        while (((ch = getchar()) != '\n') && (ch != EOF))
            extra = 1;
        return (extra == 1) ? TOO_LONG : OK;
    }

    // Otherwise remove newline and give string back to caller.
    buff[strlen(buff)-1] = '\0';
    return OK;
}

int main(int argc, char **argv)
{
    unsigned char digest[SHA_DIGEST_LENGTH];
    SHA_CTX ctx;
    char* string;
    char salt[] = "areallylongsalt";
    char buff[40];
    int i, rc;
    
    rc = getLine ("password> ", buff, sizeof(buff));
    if (rc == NO_INPUT) {
        // Extra NL since my system doesn't output that on EOF.
        printf ("\n");
        fprintf(stderr, "%s: permission denied\n", argv[0]);
        return 1;
    }else if (rc == TOO_LONG) {
        fprintf(stderr, "%s: permission denied\n", argv[0]);
        return 1;
    }

    string = malloc(strlen(salt)+1+sizeof(buff));
    strcpy(string, buff);
    strcat(string, salt);
    //printf("%s\n", string);

    SHA1_Init(&ctx);
    SHA1_Update(&ctx, string, strlen(string));
    SHA1_Final(digest, &ctx);

    //char mdString[SHA_DIGEST_LENGTH*4+1];
    //for(i = 0; i < SHA_DIGEST_LENGTH; i++){
    //     sprintf(&mdString[i*4], "\\x%02x", (unsigned int)digest[i]);
    //}
    //printf("SHA1 digest: %s\n", mdString);
    //passwordareallylongsalt
    //SHA1 digest: \x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22
    if(strncmp(digest, "\x12\x33\x1e\x67\x16\xdd\x1b\x34\x66\x9a\xcb\x36\xd1\x4b\x04\xd9\x8e\x36\x42\x22", 20) != 0){
        printf("%s: permission denied\n", argv[0]);
        return 1;
    }

    printf("[+] Continue with program...\n");
    return 0;
}
Link to comment
Share on other sites

Why not simply rename 'su' so 'mysu' and write a script called su containing the following:

#!/bin/sh
echo "Piss off, will ya!"
Link to comment
Share on other sites

well because mysu would still be a gapping security hole. I wanted something that would only function if you had the correct password. If someone were to get a user shell on the phone, they might be able to figure out security through obscurity.

Edited by fugu
Link to comment
Share on other sites

But doesn't su use pam to demand credentials of some sort for non-whitelisted commands, or is that only on PCs these days because people found it too bothersome on their phone?

In other words, is su in fact a gaping security hole, or is it simply being built/configured wrong?

Edited by Cooper
Link to comment
Share on other sites

idk of pam for android, but I'm still pretty new to the OS. I do know that messing around with and testing an android shell, it never asks me for a password. I've heard that android has things like iptables, but I havn't gotten there yet. I'd be real nice if it worked just like a full blown PC, which is what I'm most familiar with.

(BTW the android source for su.c is at https://android.googlesource.com/platform/system/extras/+/master/su/su.c, i didn't see any mention of pam, not sure if it'd be there anyway, but it does some checking of the UID)

Link to comment
Share on other sites

It depends upon the setuid + setgid functions which have been severely restricted in Android 4.3 so the best solution by far seems to be to upgrade your Android.

Is the 'login' program present? Since you could simply force a re-login as root as your only means to gain root.

Edited by Cooper
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...