Jump to content
Nytro

Android Cheatsheet: Vuln/Exploit List (privesc)

By Nytro, in Mobile security

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[TABLE=width: 100%]

[TR]

[TD]Android Cheatsheet (updates to dweinst@insitusec.com) : Vuln/Exploit List (privesc)[/TD]

[/TR]

[/TABLE]

[TABLE=class: tblGenFixed]

[TR=class: rShim]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s0]Vulnerability/Exploit name[/TD]

[TD=class: s1]release date[/TD]

[TD=class: s1]author[/TD]

[TD=class: s1]effect (root, unlock,...)[/TD]

[TD=class: s1]notes[/TD]

[TD=class: s1]link[/TD]

[TD=class: s2][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]psneuter[/TD]

[TD][/TD]

[TD=class: s4]scotty2[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Exploid[/TD]

[TD=class: s5]7/15/2010[/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: android trickery[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]GingerBreak[/TD]

[TD=class: s5]5/26/2011[/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: yummy yummy, GingerBreak![/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]RageAgainstTheCage[/TD]

[TD][/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]KillingInTheNameOf[/TD]

[TD][/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: adb trickery #2[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Zimperlich[/TD]

[TD=class: s5]2/24/2011[/TD]

[TD=class: s4]Stealth[/TD]

[TD][/TD]

[TD][/TD]

[TD=class: s4]C-skills: Zimperlich sources[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Zergrush[/TD]

[TD][/TD]

[TD=class: s4]Revolutionary[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]https://github.com/revolutionary/zergRush/blob/master/zergRush.c[/TD]

[TD=class: s4]Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers[/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Tacoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow![/TD]

[TD=class: s4]https://github.com/CunningLogic/TacoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Nachoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]AMI304 Magnetic Sensor, symlink to local.prop. [/TD]

[TD=class: s4]https://github.com/CunningLogic/NachoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Burritoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Typo prevented app from sending a debugging intent, caused adb to run as root[/TD]

[TD=class: s4]https://github.com/CunningLogic/BurritoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Gorditaroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]install custom recovery or root[/TD]

[TD=class: s4]Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device[/TD]

[TD=class: s4]https://github.com/CunningLogic/GorditaRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Enchilada[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh[/TD]

[TD=class: s4]https://github.com/CunningLogic/Enchilada[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTERoot (Avail)[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]~70 rediculous intents left over from engineering. Stupid OEM.[/TD]

[TD=class: s4]https://github.com/CunningLogic/ZTERoot[/TD]

[TD=class: s4][Exclusive] Developer Codes Left In Retail ZTE Avail (AT&T) Offer Quick And Easy Root Access[/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTERoot (Merrit)[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Symlink attack from debugging/logging app[/TD]

[TD=class: s4][ROOT] ZTE z990g Merit (An avail variant?) - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG ICS Root[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Symlink attack[/TD]

[TD=class: s4][ROOT] LG Intuition & LG Spectrum ICS - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]DefyXT Root[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s6]Unprotected intent allowing various permission changes.[/TD]

[TD=class: s4][Root] Republic Wireless Motorola Defy XT - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Cyanide[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]DeftXT Root Loggerlancher changing permissions, system mounted r/w[/TD]

[TD=class: s4]https://github.com/CunningLogic/Cyanide[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Optimus Logic[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Optmus Elite[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices.[/TD]

[TD=class: s4][Exclusive] How To Root The Virgin Mobile LG Optimus Elite[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Pantech[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable.[/TD]

[TD=class: s4]unpublished[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC DNA[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]enable unlocking[/TD]

[TD=class: s4]Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock[/TD]

[TD=class: s4][unlock] Bootloader unlock - Updated November 26th 2012 - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC One X AT&T[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours.[/TD]

[TD=class: s4][Exclusive] How To Root The AT&T HTC One X On Version 1.85 (Or Earlier)[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Hisense Pulse[/TD]

[TD][/TD]

[TD=class: s4]cj_000[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]ro.debuggable=1 on initial firmware[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Generic LG[/TD]

[TD][/TD]

[TD=class: s7]?[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]ro.debuggable=1 on some older LGs[/TD]

[TD=class: s4]unpublished[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG ADB Backdoor[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Backdoor, restarts adb as root with key[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Poot[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Qualcomm diag device[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Lit[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]LG Backlight[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTE Backdoor[/TD]

[TD][/TD]

[TD=class: s4]"Anonymous"[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]binary spawned root shell, password protected.[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC Eris 2.1 Root[/TD]

[TD][/TD]

[TD=class: s4]wag3slav3[/TD]

[TD=class: s4]install custom recovery[/TD]

[TD=class: s4]symlink attack from /data/local/something to recovery block device[/TD]

[TD=class: s4]? XDA Forums[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Droid 3 Root[/TD]

[TD=class: s5]8/25/2011[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack from /data/local/something to local.prop[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motofail[/TD]

[TD=class: s5]2/11/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic and /data/logger[/TD]

[TD=class: s4]http://vulnfactory.org/public/motofail_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]XYZ[/TD]

[TD=class: s5]2/17/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger[/TD]

[TD=class: s4]http://vulnfactory.org/public/xyz_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Spectrum Root[/TD]

[TD=class: s5]2/19/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/gpscfg/gps_env.conf[/TD]

[TD=class: s4]http://vulnfactory.org/public/spectrum_root_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Megatron[/TD]

[TD=class: s5]2/26/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on com.ti.fmrxapp[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Esteem Root[/TD]

[TD=class: s5]2/15/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/bootlogo/bootlogopid[/TD]

[TD=class: s4]http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Razr's Edge[/TD]

[TD=class: s5]6/21/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/local/12m[/TD]

[TD=class: s4]http://vulnfactory.org/public/razrs_edge_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Razr Blade[/TD]

[TD=class: s5]1/15/2013[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system[/TD]

[TD=class: s6]http://vulnfactory.org/public/razr_blade.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]X-Factor[/TD]

[TD=class: s5]10/23/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]change CID[/TD]

[TD=class: s4]symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot)[/TD]

[TD=class: s4][ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Samsung Admire Root[/TD]

[TD=class: s5]9/12/2011[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/log/dumpState_app_native.log[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Thinkpad Tablet[/TD]

[TD=class: s5]1/22/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on Lenovo Mobility Manager[/TD]

[TD=class: s4]http://vulnfactory.org/public/Thinkpad_Root_Windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Sony Tablet S[/TD]

[TD=class: s5]2/8/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files)[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Xoomfail[/TD]

[TD=class: s5]2/18/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]cmdclient changed perms on /data to 0777 by design[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motofail2Go[/TD]

[TD=class: s5]10/16/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on data directory for bug2go[/TD]

[TD=class: s4]http://vulnfactory.org/public/motofail2go_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]XPRT[/TD]

[TD=class: s5]10/8/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic[/TD]

[TD=class: s4]http://vulnfactory.org/public/xprt_root_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Nandpwn[/TD]

[TD=class: s5]8/4/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Ridiculousness on Logitech Revue[/TD]

[TD=class: s4]https://github.com/djrbliss/revue/tree/master/nandpwn[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motochopper[/TD]

[TD=class: s8]4/9/2013[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]http://vulnfactory.org/public/motochopper.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ADB Restore Root[/TD]

[TD][/TD]

[TD=class: s4]bin4ry[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Exynos-abuse[/TD]

[TD][/TD]

[TD=class: s4]alephzain[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Access to system memory through /dev/exynos-mem on Exynos devices[/TD]

[TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]IconiaRoot[/TD]

[TD][/TD]

[TD=class: s4]alephzain[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]fr3vo[/TD]

[TD][/TD]

[TD=class: s4]Kevin Bruckert[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Arbitrary kernel write in Qualcomm's MSM rotator[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]levitator[/TD]

[TD][/TD]

[TD=class: s4]Jon Larimer, Jon Oberheide[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Out-of-bounds memory mapping in pvrsrvkm[/TD]

[TD=class: s4]http://jon.oberheide.org/files/levitator.c[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]mempodroid[/TD]

[TD][/TD]

[TD=class: s4]saurik/zx2c4[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Bad kernel jazz with /proc/pid/mem and suid binaries[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]asroot (Wunderbar?)[/TD]

[TD][/TD]

[TD=class: s4]zinx[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Samsung Infuse 4G[/TD]

[TD=class: s5]1/3/2012[/TD]

[TD=class: s4]Michael Coppola[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/data/.drm/.wmdrm/sample.hds[/TD]

[TD=class: s4]Rooting the Samsung Infuse 4G | Michael Coppola's Blog[/TD]

[TD][/TD]

[/TR]

[/TABLE]

Publicat de Google DriveRaporta?i un abuz – Se actualizeaz? automat la fiecare 5 minute

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...