Developers looking for exploits to gain root access on devices running Linux kernel 2.6.39 or above should take a look at a posting on github by the well-known Jay Freeman, a.k.a. Saurik. He’s put together an implementation of an exploit for CVE-2012-0056, which was discovered by Jüri Aedla, and written up on Hacker News by Jason A Donenfeld.
Devices running this kernel version are those on Ice Cream Sandwich, such as the Galaxy Nexus, or Asus Transformer Prime. This type of exploit can help in loading custom software onto devices that have locked bootloaders, like the Transformer Prime running Android 4.0.3.
Today on Hacker News (where I sadly get much of my news), the post “Linux Local Privilege Escalation via SUID /proc/pid/mem Write”hit the front page. This article was by Jason A. Donenfeld (zx2c4), and documented how he managed to exploit CVE-2012-0056, a seemingly silly mistake that was recently found in the Linux kernel by Jüri Aedla.
Obviously, I was intrigued, and then spent the next few hours learning exactly how it works and putting together an implementation of the exploit for Android. It requires the device to have Linux kernel 2.6.39 or above, which happens to include the Galaxy Nexus (one of the various phones I luckily have sitting around for testing software on ;P).
Of course, the Galaxy Nexus can be rooted quite easily (with a big thank you to Google for being awesome!), so this isn’t terribly important or useful: Android 3.1 runs 2.6.36 (too early to be exploited) and there aren’t any devices other than the Galaxy Nexus running Android 4.0 (other, of course, than already-rooted ones using custom installs ;P).
That said, I found it interesting, and I seriously burst out laughing when I read the article by Jason A. Donenfeld, as I found this particular exploit to simply be “that awesome”. There is also always the possibility that there might actually be a device out there where this ends up being useful, so I figured I’d throw it up on GitHub.
If you think this exploit could aid you in your work, we encourage you to check out Saurik’s posting, where you can also download it. For further reading on just how the exploit works, you can dig into the details on Hacker News.]]>