Jump to content
Nytro

Android Cheatsheet: Vuln/Exploit List (privesc)

By Nytro, in Mobile security

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[TABLE=width: 100%]

[TR]

[TD]Android Cheatsheet (updates to dweinst@insitusec.com) : Vuln/Exploit List (privesc)[/TD]

[/TR]

[/TABLE]

[TABLE=class: tblGenFixed]

[TR=class: rShim]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s0]Vulnerability/Exploit name[/TD]

[TD=class: s1]release date[/TD]

[TD=class: s1]author[/TD]

[TD=class: s1]effect (root, unlock,...)[/TD]

[TD=class: s1]notes[/TD]

[TD=class: s1]link[/TD]

[TD=class: s2][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]psneuter[/TD]

[TD][/TD]

[TD=class: s4]scotty2[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]https://github.com/tmzt/g2root-kmod/blob/master/scotty2/psneuter/psneuter.c[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Exploid[/TD]

[TD=class: s5]7/15/2010[/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: android trickery[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]GingerBreak[/TD]

[TD=class: s5]5/26/2011[/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: yummy yummy, GingerBreak![/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]RageAgainstTheCage[/TD]

[TD][/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]KillingInTheNameOf[/TD]

[TD][/TD]

[TD=class: s4]Stealth[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]C-skills: adb trickery #2[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Zimperlich[/TD]

[TD=class: s5]2/24/2011[/TD]

[TD=class: s4]Stealth[/TD]

[TD][/TD]

[TD][/TD]

[TD=class: s4]C-skills: Zimperlich sources[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Zergrush[/TD]

[TD][/TD]

[TD=class: s4]Revolutionary[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]https://github.com/revolutionary/zergRush/blob/master/zergRush.c[/TD]

[TD=class: s4]Revolutionary - zergRush local root 2.2/2.3 [22-10: Samsung/SE update] - xda-developers[/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Tacoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]HTC Recovery symlink attack to local.prop from /data/recovery/something bliss found first, but was too slow![/TD]

[TD=class: s4]https://github.com/CunningLogic/TacoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Nachoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]AMI304 Magnetic Sensor, symlink to local.prop. [/TD]

[TD=class: s4]https://github.com/CunningLogic/NachoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Burritoroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Typo prevented app from sending a debugging intent, caused adb to run as root[/TD]

[TD=class: s4]https://github.com/CunningLogic/BurritoRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Gorditaroot[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]install custom recovery or root[/TD]

[TD=class: s4]Similar to Nachoroot, different path, AMI304 Magnetic Sensor, symlink to recovery mtd device[/TD]

[TD=class: s4]https://github.com/CunningLogic/GorditaRoot[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Enchilada[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]System left r/w & Internal memory left as ext4? I think. Symlink attack from DCIM dir to install-recovery.sh[/TD]

[TD=class: s4]https://github.com/CunningLogic/Enchilada[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTERoot (Avail)[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]~70 rediculous intents left over from engineering. Stupid OEM.[/TD]

[TD=class: s4]https://github.com/CunningLogic/ZTERoot[/TD]

[TD=class: s4][Exclusive] Developer Codes Left In Retail ZTE Avail (AT&T) Offer Quick And Easy Root Access[/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTERoot (Merrit)[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Symlink attack from debugging/logging app[/TD]

[TD=class: s4][ROOT] ZTE z990g Merit (An avail variant?) - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG ICS Root[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Symlink attack[/TD]

[TD=class: s4][ROOT] LG Intuition & LG Spectrum ICS - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]DefyXT Root[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s6]Unprotected intent allowing various permission changes.[/TD]

[TD=class: s4][Root] Republic Wireless Motorola Defy XT - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Cyanide[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]DeftXT Root Loggerlancher changing permissions, system mounted r/w[/TD]

[TD=class: s4]https://github.com/CunningLogic/Cyanide[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Optimus Logic[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Optmus Elite[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]LG not verifying integrity of system partition when flashing through download mode. TOT images are patchable. Probably valid on all LG devices.[/TD]

[TD=class: s4][Exclusive] How To Root The Virgin Mobile LG Optimus Elite[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Pantech[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Pantach does not verify integerty of system partition when flashing through download mode. PDL images are patchable.[/TD]

[TD=class: s4]unpublished[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC DNA[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]enable unlocking[/TD]

[TD=class: s4]Backupmanger sets /data 777, then symlink to mmbblk0p5 to change CID. Not root, but enables bootloader unlock[/TD]

[TD=class: s4][unlock] Bootloader unlock - Updated November 26th 2012 - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC One X AT&T[/TD]

[TD][/TD]

[TD=class: s4]jcase[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]HTC Ready2go webapp triggering chmod 777 on file in world writable dir. Lasted whole 4 hours.[/TD]

[TD=class: s4][Exclusive] How To Root The AT&T HTC One X On Version 1.85 (Or Earlier)[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Hisense Pulse[/TD]

[TD][/TD]

[TD=class: s4]cj_000[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]ro.debuggable=1 on initial firmware[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Generic LG[/TD]

[TD][/TD]

[TD=class: s7]?[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]ro.debuggable=1 on some older LGs[/TD]

[TD=class: s4]unpublished[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG ADB Backdoor[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Backdoor, restarts adb as root with key[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Poot[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Qualcomm diag device[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Lit[/TD]

[TD][/TD]

[TD=class: s4]Giantpune[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]LG Backlight[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ZTE Backdoor[/TD]

[TD][/TD]

[TD=class: s4]"Anonymous"[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]binary spawned root shell, password protected.[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]HTC Eris 2.1 Root[/TD]

[TD][/TD]

[TD=class: s4]wag3slav3[/TD]

[TD=class: s4]install custom recovery[/TD]

[TD=class: s4]symlink attack from /data/local/something to recovery block device[/TD]

[TD=class: s4]? XDA Forums[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Droid 3 Root[/TD]

[TD=class: s5]8/25/2011[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack from /data/local/something to local.prop[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motofail[/TD]

[TD=class: s5]2/11/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic and /data/logger[/TD]

[TD=class: s4]http://vulnfactory.org/public/motofail_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]XYZ[/TD]

[TD=class: s5]2/17/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /pds/public/battd, /data/dontpanic, and /data/logger[/TD]

[TD=class: s4]http://vulnfactory.org/public/xyz_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Spectrum Root[/TD]

[TD=class: s5]2/19/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/gpscfg/gps_env.conf[/TD]

[TD=class: s4]http://vulnfactory.org/public/spectrum_root_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Megatron[/TD]

[TD=class: s5]2/26/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on com.ti.fmrxapp[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]LG Esteem Root[/TD]

[TD=class: s5]2/15/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/bootlogo/bootlogopid[/TD]

[TD=class: s4]http://vulnfactory.org/public/LG_Esteem_Root_v2_Windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Razr's Edge[/TD]

[TD=class: s5]6/21/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/local/12m[/TD]

[TD=class: s4]http://vulnfactory.org/public/razrs_edge_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Razr Blade[/TD]

[TD=class: s5]1/15/2013[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic, overwriting SmartActions .jar file to run code as system[/TD]

[TD=class: s6]http://vulnfactory.org/public/razr_blade.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]X-Factor[/TD]

[TD=class: s5]10/23/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]change CID[/TD]

[TD=class: s4]symlink attack on telephony ADB restore to change permissions on /dev/diag, followed by kernel exploit (same as Poot)[/TD]

[TD=class: s4][ROOT] HTC One X AT&T 2.20 Firmware - X-Factor root exploit - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Samsung Admire Root[/TD]

[TD=class: s5]9/12/2011[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/log/dumpState_app_native.log[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Thinkpad Tablet[/TD]

[TD=class: s5]1/22/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on Lenovo Mobility Manager[/TD]

[TD=class: s4]http://vulnfactory.org/public/Thinkpad_Root_Windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Sony Tablet S[/TD]

[TD=class: s5]2/8/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /log to change package.list, followed by symlink attack on "pm" (replace "lib" directory of system app to remove arbitrary files)[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Xoomfail[/TD]

[TD=class: s5]2/18/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]cmdclient changed perms on /data to 0777 by design[/TD]

[TD=class: s4]Security Research by Dan Rosenberg[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motofail2Go[/TD]

[TD=class: s5]10/16/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on data directory for bug2go[/TD]

[TD=class: s4]http://vulnfactory.org/public/motofail2go_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]XPRT[/TD]

[TD=class: s5]10/8/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/dontpanic[/TD]

[TD=class: s4]http://vulnfactory.org/public/xprt_root_windows.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Nandpwn[/TD]

[TD=class: s5]8/4/2012[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Ridiculousness on Logitech Revue[/TD]

[TD=class: s4]https://github.com/djrbliss/revue/tree/master/nandpwn[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Motochopper[/TD]

[TD=class: s8]4/9/2013[/TD]

[TD=class: s4]bliss[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]http://vulnfactory.org/public/motochopper.zip[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]ADB Restore Root[/TD]

[TD][/TD]

[TD=class: s4]bin4ry[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Exynos-abuse[/TD]

[TD][/TD]

[TD=class: s4]alephzain[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Access to system memory through /dev/exynos-mem on Exynos devices[/TD]

[TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]IconiaRoot[/TD]

[TD][/TD]

[TD=class: s4]alephzain[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4][ROOT][sECURITY] Root exploit on Exynos - xda-developers[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]fr3vo[/TD]

[TD][/TD]

[TD=class: s4]Kevin Bruckert[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Arbitrary kernel write in Qualcomm's MSM rotator[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]levitator[/TD]

[TD][/TD]

[TD=class: s4]Jon Larimer, Jon Oberheide[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Out-of-bounds memory mapping in pvrsrvkm[/TD]

[TD=class: s4]http://jon.oberheide.org/files/levitator.c[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]mempodroid[/TD]

[TD][/TD]

[TD=class: s4]saurik/zx2c4[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]Bad kernel jazz with /proc/pid/mem and suid binaries[/TD]

[TD][/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]asroot (Wunderbar?)[/TD]

[TD][/TD]

[TD=class: s4]zinx[/TD]

[TD=class: s4]root[/TD]

[TD][/TD]

[TD=class: s4]http://code.google.com/p/flashrec/source/browse/#svn%2Ftrunk%2Fandroid-root[/TD]

[TD][/TD]

[/TR]

[TR]

[TD=class: hd].

[/TD]

[TD=class: s3]Samsung Infuse 4G[/TD]

[TD=class: s5]1/3/2012[/TD]

[TD=class: s4]Michael Coppola[/TD]

[TD=class: s4]root[/TD]

[TD=class: s4]symlink attack on /data/data/.drm/.wmdrm/sample.hds[/TD]

[TD=class: s4]Rooting the Samsung Infuse 4G | Michael Coppola's Blog[/TD]

[TD][/TD]

[/TR]

[/TABLE]

Publicat de Google DriveRaporta?i un abuz – Se actualizeaz? automat la fiecare 5 minute

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...