Hi,
I've a magic 32B with cyanogenmod v4.2.15.1.
I would like to import StartSSL and FreeSSL certificates authority.
To do this I modified /etc/security/cacerts.bks with keytool on my pc, push the new cacerts.bks to my phone, changed permissions (644), and rebooted the phone.
Now I can connect to FreeSSL https websites without any warning. But the Android Market stops working: I can't download and install apps.
I've this log:
Code:
W/vending ( 776): com.android.vending.api.RequestDispatcher.performRequestsOverNetwork(): IOException while performing API request: Delayed instantiation exception:
E/vending ( 776): com.android.vending.AsynchRequestRunner$1.runRequestRetryingFailure(): Got IOException from async request: Delayed instantiation exception:
D/vending ( 776): com.android.vending.api.LocalAssetDatabase.notifyListener(): -4182933297171720279 / DOWNLOAD_FAILED
If I restore the original cacerts.bks, market works fine, but of course I've warnings with FreeSSL websites.
Can you help me to install FreeSSL CA without disturbing Android Market ?
Thanks.
for citrix client, i've edited cacerts.bks too.
i've used a java program, portecle:
http://portecle.sourceforge.net/
download it, then launch it with the windows command: java -jar portecle.jar
with this tools, open cacerts.bks, and import your ca cert
save the bks and push it into your phone, for me it has worked!
First off I'm fairly new to reflection, though I've been able to use it successfully a few times while developing apps for my rooted HTC Incredible(2.2). Now I'm trying to access PhoneApp via reflection, but I keep getting NoClassDefFoundError when I invoke either of the following:
Code:
Class aClass = Class.forName("com.android.phone.PhoneApp")
and
Code:
ClassLoader classLoader = MyClass.class.getClassLoader();
Class aClass = classLoader.loadClass("com.android.phone.PhoneApp");
If I decompile Phone.apk I can see com.android.phone.PhoneApp, so what am I missing?
Thanks in advance...
Changing this to a learning question.
How did Samsung or other vendors fix this vulnerability?
It's not as simple as formating the SD card and running a specially formatted apk?
Thanks for any information.
http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3,-or-fixing-an-old-local-root
Quote from their site:
"The vulnerability here is rather obvious: there is no check on the "id" variable, which is the name given by the user to its ASEC container. It is therefore possible to perform a basic path traversal, to create the ASEC file and its mount point in a different directory than expected, as for example one the "attacker" can write into.
The following code is then responsible for the creation of the mount point:
Code:
if (mkdir(mountPoint, 0000)) {
if (errno != EEXIST) {
SLOGE("Mountpoint creation failed (%s)", strerror(errno));
if (cleanupDm) {
Devmapper::destroy(idHash);
}
Loop::destroyByDevice(loopDevice);
unlink(asecFileName);
return -1;
}
}
[...]
mountStatus = xxx::doMount(dmDevice, mountPoint, false,
false, false, ownerUid, 0, 0000, false);
This means that if the mount point already exists, no error is raised, and the container is correctly mounted in "mountPoint". Guess what? If "mountPoint" already exists AND is a symlink to an existing directory, the ASEC container will be mounted over this directory. And the user will have full access to it, allowing him to write new files inside.
There are many ways of exploiting this vulnerability to gain root privileges.
Last detail about this vulnerability: it requires permissions to create ASEC containers. The "shell" user, as used by adb, has the requiered privileges. For the vulnerability to be exploited from an application, it needs the ASEC_* permissions (such as ASEC_CREATE)."
It has been patched.
designgears said:
It has been patched.
Click to expand...
Click to collapse
[emoji115]this guy! is watching the threads secretly and I believe he is/has been doing some work
from my locked note 3!
I think he knows it's patched but wants to know how it was patched so he can learn a bit.
Sent from my SM-G900V using XDA Premium 4 mobile app
The code for the actual fix is in the linked blog post. It doesn't allow directory names starting with .. or /, eliminating the ability to turn "/mnt/asec/mydirectory" into something like "/mnt/asec/../../system/xbin". In Linux , .. means go up a directory so that would translate to "/system/xbin".
Many distributions of Android have their own patchsets that are released before the official ones from Google. I'm not sure when Samsung introduced it into their release of Android, but it's definitely in the last released version which is why we can't use this for root.
This is the vulnerability I used in the videos i posted a few months back for Moto X, and reported to Google (it is exploitable on some devices without user interaction, rouge apps can use it on some devices to do bad things without the user knowing).
Google provides security fixes to OEMs with a minimum 90day embargo, OEMs have the fixes at least 90 days before the fixes end up on AOSP. In addition, it was already mitigated by SEAndroid policies on many devices, including Note 3, S4, and S5. So it was useless for those devices already.
It is also patched on s5, and newer note3 and S4 firmware.
It was patched by sanitizing the path, checking for traversal and failing if detected.
For an actual implementation of this (that I published after the blog you linked to detailed the vulnerability), see my exploit here http://forum.xda-developers.com/moto-x/orig-development/root-4-4-x-pie-motorola-devices-t2771623
Phonegasm said:
Changing this to a learning question.
How did Samsung or other vendors fix this vulnerability?
It's not as simple as formating the SD card and running a specially formatted apk?
Thanks for any information.
http://blog.cassidiancybersecurity.com/post/2014/06/Android-4.4.3,-or-fixing-an-old-local-root
Quote from their site:
"The vulnerability here is rather obvious: there is no check on the "id" variable, which is the name given by the user to its ASEC container. It is therefore possible to perform a basic path traversal, to create the ASEC file and its mount point in a different directory than expected, as for example one the "attacker" can write into.
The following code is then responsible for the creation of the mount point:
Code:
if (mkdir(mountPoint, 0000)) {
if (errno != EEXIST) {
SLOGE("Mountpoint creation failed (%s)", strerror(errno));
if (cleanupDm) {
Devmapper::destroy(idHash);
}
Loop::destroyByDevice(loopDevice);
unlink(asecFileName);
return -1;
}
}
[...]
mountStatus = xxx::doMount(dmDevice, mountPoint, false,
false, false, ownerUid, 0, 0000, false);
This means that if the mount point already exists, no error is raised, and the container is correctly mounted in "mountPoint". Guess what? If "mountPoint" already exists AND is a symlink to an existing directory, the ASEC container will be mounted over this directory. And the user will have full access to it, allowing him to write new files inside.
There are many ways of exploiting this vulnerability to gain root privileges.
Last detail about this vulnerability: it requires permissions to create ASEC containers. The "shell" user, as used by adb, has the requiered privileges. For the vulnerability to be exploited from an application, it needs the ASEC_* permissions (such as ASEC_CREATE)."
Click to expand...
Click to collapse
HI, I'm italian, so I apologize for my very bad english
I tried to obtain a custom class using the Parcelable interface and an Intent instance. I think that all class' member are obtained rightly.. Only a list give me a problem. For put int into the Parcel i used the method
Code:
writeList(List val)
and for get it I used the method
Code:
readList(List outVal, ClassLoader loader)
But when I try to access to the list, I obtain a nullPointerException...
I used readList in this way:
Code:
parcel.readList(list, null);
is this correct?
I had the 4.4.4 CarbonRom flashed and decided to try out the new 5.X.
Without updating my bootloader ( It was 4109 I think) I clean wiped my phone and flashed the euphoria rom. I was unable to open the Security Settings menu or uninstall any app. I posted the logcat from the 5.1 rom in the euphoria thread.
Since I was on the old bootloader I updated to the 4118 versione without a problem but I still couldnt open Security or uninstall any app. I tried other roms such as the AOSP 5.1, but it still wasn't working. So I tried going back to the stock 4.4.4 rom but I'm still having the same problems. The logcat from the 4.4.4 stock is attached. I've also tried the 5.1 stock rom, same result.
Any idea on how to fix this?
Ok I managed to fix this by searching for another string I found in the logcat, specifically :
Code:
E/QSEECOMAPI: ( 6008): Error::Cannot open the file /vendor/firmware/keymaster/keymaster.mdt
E/QSEECOMAPI: ( 6008): Error::Cannot open the file /firmware/image/keymaste.mdt
I'm reposting the solution and the relevant logcat lines for any poor soul that has the same problem in the future:
Code:
E/AndroidRuntime(19798): java.lang.RuntimeException: Unable to resume activity {com.android.settings/com.android.settings.SubSettings}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.is_hardware_backed(java.lang.String)' on a null object reference
E/AndroidRuntime(20411): java.lang.RuntimeException: Unable to start activity ComponentInfo{com.android.settings/com.android.settings.SubSettings}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.zero()' on a null object reference
E/AndroidRuntime(25642): java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.clear_uid(long)' on a null object reference
I found the solution in this thread. You have to copy the keymaster files I attached in the zip into the /firmware/image/ folder after mounting the /firmware with read write permissions. Be sure to chmod 644 all the files too.