Re: debugfs exploit for a number of Android devices

[Alexander Pruss <arpruss () gmail com>]

On Wed, Aug 15, 2012 at 8:10 AM, Dan Rosenberg
<dan.j.rosenberg () gmail com> wrote:
> The sane way to exploit this is to make /data shell-writable, and create or
> modify /data/local.prop to contain the string "ro.kernel.qemu=1", which
> causes ADB to retain root privileges rather than dropping to user "shell"
> since this property convinces it that the device is the emulator.  Using
> debugfs to modify the filesystem is completely unnecessary and potentially
> destructive.

Actually, it looks like it's not quite so easy as editing
/data/local.prop.  My wife just got an Epic 4G Touch with ICS, and it
looks like they put ro.kernel.qemu=0 in /system/build.prop, which
makes any ro.kernel.qemu=1 setting in /data/local.prop get completely
ignored.  That's a nice and simple way of getting around many ways of
gaining root.  I may break down and use debugfs. :-(

Alex

-- 
Alexander R. Pruss
arpruss () gmail com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/