Close

So close, yet so far

A project log for Hacking old Galaxy Tabs for better living

How I helped my high-rise neighbors to actually own their smart homes

neighborinoNeighborino 09/11/2021 at 15:170 Comments

The kernel version marked 3.4.34-2545684 on the 4.2.2 tablets was ripe for some dirtycow-ing.

The PoC at https://github.com/timwr/CVE-2016-5195 compiled great for x86 Android and just like that I had root access. Unfortunately some targets such as /system/bin/run-as could only be touched via adb with the tablet "tethered" to the PC which was once again not what I had in mind - one had to be able to execute the privilege escalation from inside an app running on the device.

I then made a breakthrough when I considered which binaries actually had access to the wpa_supplicant.conf - would you know it, it was actually the wpa_supplicant program itself!

High-rise wall-mounted tablet WiFi password revealer 1.0!

Having made a successful exit from our mobile app startup some years prior, I no longer had Android Studio installed (taking an extended vacation from gradle did me a lot of good!) and after getting back into it, I developed an app which would:

  1. Disable WiFi so wpa_supplicant would finish running - any app can do this with sufficient permissions.
  2. Make a backup of it and use the dirtycow exploit to overwrite it with a simple program that upon execution makes a copy of wpa_supplicant.conf to /sdcard
  3. Enable WiFi which executes my program with elevated privileges. Then wait a moment for the WiFi state machine to settle and once again disable WiFi.
  4. Put back the original wpa_supplicant binary and re-enable WiFi. It was as if nothing has happened.

Now I can parse the .conf and display the WiFi password to the end-user.

I then realized a dirty secret of dirtycow and how it affects read-only file systems:

IT CAN PERMANENTLY CORRUPT THE TARGET FILE :(

This means that steps 1-3 worked but getting the file back to original failed or rather, it seemed to take, but after rebooting the tablet, the file contents would get scrambled/corrupt and no amount of dirtycowing would fix it. Even a factory reset won't help because there is no backup copy of the /system partition. Only restoring a TWRP backup or flashing the stock firmware via ODIN would help.

What good is a WiFi password if the cost is ruining WiFi connectivity of the smart home tablet?!
Previous log

Biting into the Swiss cheese

09/11/2021 at 15:02 0 comments
Next log

Fantastic cows and where to find them

09/11/2021 at 15:31 0 comments

Discussions

Yes, delete it Cancel

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday