• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Root Privilidge Escailation exploit in LG's backlight driver

G

giantpune

Android Enthusiast
So yesterday I was messing around with trying to get cm7 working when I ran an innocent shell command and my phone crashed. I tracked the cause back to the driver for the backlight in our LCD screen. While I was looking at it, I saw that the bug I found could actually be used to gain root access on our phone from any app that runs.

It took a couple hours to work up a working example for this that did something besides crash the phone, and named it 'Lit'. I already have quite a few root exploits for our phone saved up in case LG decides to fix the ones we have publicly. So theres nothing really to lose by not keeping this one to myself.

I suspect this one also affect other LG phones using the same buggy backlight driver. I have hardcoded an address in this code. To get it working on other models, somebody would need to get the correct address. Lit is a commandline program, so run it from the terminal emulator or adb or something and hopefully it'll give you a root shell. You might also want to contact LG and demand they fix it. I'm not really going to bother with that since I called and emailed them back in July about another one and got ignored.

Code: 
j@media-pc:~$ adb shell
$ uname -a
Linux localhost 2.6.35.11 #1 PREEMPT Tue Jun 19 23:02:28 KST 2012 armv7l GNU/Linux
$ getprop | grep device
[ro.product.device]: [m3s]
$ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
$ /data/local/tmp/lit
Lit - root exploit for the LG LM3530 backlight driver
2012 giantpune
[+] Using 29287461 as adapter address
[+] Opened led reg file
[+] Mapped 29287000
[+] algoAddr is at 29287000
[+] got root
# id
uid=0(root) gid=0(root)
#
Download lit.tar.gz from Sendspace.com - send big files the easy way
 
With multiple hole like this one, I wouldn't put my email address, credit card info, or any other personal information into this phone. If it wasn't a prepaid phone, I'd say to check your account every now and then and make sure there aren't any strange 1900 calls or texts sent to those premium numbers that charge you $2 a message.

With any app being able to get root access whenever it wants, they can most certainly do all this stuff. Definitely make sure you only install apps from trusted places. It would be trivial to stick this or a similar exploit into anglybirds and toss it up on thepiratebay and before you know it, your phone becomes somebody else's phone.
 
giantpune, thanks for this great tool

I am very curious about this small program you wrote, how do I re-compile main.c (If I want to do some changes and try it)

what kind of tools did you use to compile it

Thanks
 
I used the gcc arm compiler from ndk r8(ish) to make the binary. As far as modifications go, I've found that if you tweak the mmap arguments a bit to get rid of the unnecessary executable permission, the mmap will succeed on some other devices and this exploit works. There are actually about 8 different backlight drivers from LG affected by this one, being used in several models. My root/cwm installer for the L38c family of phones uses this it ( http://androidforums.com/l3-all-things-root/682486-root-apk-l38c.html ).

The optimus V 's backlight driver is also vulnerable, but as the cpu+kernel config is setup in a way that doesn't let us run unaligned addresses, the kernel panics rather than executing the specified address.
 
giantpune,

Thanks for bunch for this useful information, I will start paying with the compiler to see whether I can compile it to run in my phone

Thanks again
 
You must log in or register to reply here.
Back
Top Bottom