[R&D] Modern Security Patches on 5.0 ROMs - Verizon Galaxy S 5 Android Development

Hello,
Today I have found myself the victim of Stagefright. Specifically CVE-2015-6602. The attacker gained remote code execution and attempted to copy all my data to a server. Luckily nothing sensitive was on the phone since it was my test unit. Still, this is important to note that attackers are still looking at exploiting older phones.
The phone in question was on android 5.0 : OptimalROM 15-5, with PB1 firmware. I had applied all the available security zips, still leaving two stagefright vulnerabilities:
CVE-2015-3864 (Mediaserver)
CVE-2015-6602 (libutils)
Please be aware if you are on a locked bootloader and choose to stay on older ROMs to keep root you are putting yourself at risk.
To see if you could have suffered the same fate as me if you were the attacker's target, use Zimperium's SF detector.
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
This thread aims to provide flashable zips or manual instructions to patch any additional vulnerabilities existing in 5.0 that have been fixed in newer versions or 6.0.
--
First success! 1/2/2017
Implementation to patch ALL stagefright vulns on ALL 5.0 ROMs that have vulnerabilities!
see thread:
https://forum.xda-developers.com/ve...om-patch-optimalrom-15-5-stagefright-t3530922
Resources:
https://groups.google.com/forum/#!topic/android-security-updates/iv1BF0f0XY4
^ Main information, gives us the two commits:
Commit (Vuln patch)
https://android.googlesource.com/platform/system/core/+/5b85b1d40d619c2064d321364f212ebfeb6ba185
Commit (Compile error after, fixed on this commit)
https://android.googlesource.com/platform/system/core/+/e0dce90b0de2b2b7c2baae8035f810a55526effb
This tells is the vulnerability in libutils is specifically String8.cpp
/system/lib/libutils.so is the binary file that needs to be updated.
With this info, we can compile ourselves from the latest android, but the question is what will happen on replace? Will the system reject signature?
https://android.googlesource.com/platform/system/core/+/e0dce90b0de2b2b7c2baae8035f810a55526effb
^ Compiling a new libutils.so from the above commit.

I am not vulerable. 5.0 rooted.

gayflag said:
I am not vulerable. 5.0 rooted.
Click to expand...
Click to collapse
Interesting. What ROM are you on and what firmware?
Is the ROM based on that firmware?
Edit:
Thank you for this valuable information.
Stock PB1 ROMs are not vulnerable to stagefright.
This will make things easier for ROMs based on pre-PB1!
It is because of your post that I easily found a way to patch stagefright on OG5 and below based ROMs!
https://forum.xda-developers.com/ve...om-patch-optimalrom-15-5-stagefright-t3530922

Related

Android bug: security risk

Android bug: MMS attack affects 'one billion' phones - http://www.bbc.co.uk/news/technology-33689399
Can the patch be manually downloaded from somewhere and manually installed in rooted phones? Where?
Prefer to not go the OTA route because I am rooted and use xposed framework.
Is the patch issued out and available by Google yet?
Running Cataclysm, but don't see an update for it yet for the MMS bug.
Patched stagefright libraries for AOSP 5.1.1
For those who are interested: I patched AOSP 5.1.1 (LMY48B) with the code changes that were submitted to CM by the researcher who detected the flaw, see e.g. here. The attached archive contains the 17 (!) modified libraries. I just pushed the files to my device running stock 5.1.1 and it boots fine. I do not not have any information on whether the patch actually does what it is supposed to do or whether the new libs result in breakage somewhere else.
Update: added three additional patches to libstagefright submitted to CM by the same security researcher (jduck) as detailed here.
Update (August 14): added latest stagefright vulnerability patch as described here
From what I have read this should not really affect our devices. It is more older devices that have issues.
wangdaning said:
From what I have read this should not really affect our devices. It is more older devices that have issues.
Click to expand...
Click to collapse
Well, from what I've read/seen it appears that the Nexus 5 on 5.1.1 is fully exploitable. However, sandboxing and "address space layout randomization" make it a lot more difficult to actually achieve anything with the exploit, but the probability is not zero. We will probably know more after the hacker conference next week.
Note that I have updated the patched libraries that I attached to my previous post. In the update I added three additional patches to libstagefright that have been submitted to CM by the security researcher who has found the exploit back in April, see here
chdloc said:
For those who are interested: I patched AOSP 5.1.1 (LMY48B) with the code changes that were submitted to CM by the researcher who detected the flaw, see e.g. here. The attached archive contains the 17 (!) modified libraries. I just pushed the files to my device running stock 5.1.1 and it boots fine. I do not not have any information on whether the patch actually does what it is supposed to do or whether the new libs result in breakage somewhere else.
Edit: added three additional patches to libstagefright submitted to CM by the same security researcher (jduck) as detailed here.
Click to expand...
Click to collapse
Added the patched libs and my phone didn't blow up so that's a good sign. Too bad there isn't a good way to test it.
chdloc said:
Well, from what I've read/seen it appears that the Nexus 5 on 5.1.1 is fully exploitable. However, sandboxing and "address space layout randomization" make it a lot more difficult to actually achieve anything with the exploit, but the probability is not zero. here
Click to expand...
Click to collapse
Is the rooted nexus 5 on 4.4.4 (with xposed) any safer?
How to sandbox? Is there an app for that?
Thanks.
Anderson2 said:
Is the rooted nexus 5 on 4.4.4 (with xposed) any safer?
Click to expand...
Click to collapse
A rooted device is less secure than a non-rooted device. A device with Xposed is theoretically less secure than that.
Anderson2 said:
How to sandbox? Is there an app for that?
Click to expand...
Click to collapse
Application sandboxing is done by default in Android.
chdloc said:
For those who are interested: I patched AOSP 5.1.1 (LMY48B) with the code changes that were submitted to CM by the researcher who detected the flaw, see e.g. here. The attached archive contains the 17 (!) modified libraries. I just pushed the files to my device running stock 5.1.1 and it boots fine. I do not not have any information on whether the patch actually does what it is supposed to do or whether the new libs result in breakage somewhere else.
Update: added three additional patches to libstagefright submitted to CM by the same security researcher (jduck) as detailed here.
Click to expand...
Click to collapse
Just an fyi; if you're waiting for your rom to be updated, swapping in these patched libs will close the hole (at least according to zImperium's Stagefright check app).
FYI, added latest stagefright vulnerability patch as described here to post #3.
As before, you need to push the libraries manually to /system/lib/, followed by an adjustment of permissions (644), if required.
The latest Zimperium Stagefright Detector app, updated today, returns "not vulnerable" to the (as of today) seven known security vulnerabilities of stagefright.
chdloc said:
FYI, added latest stagefright vulnerability patch as described here to post #3.
As before, you need to push the libraries manually to /system/lib/, followed by an adjustment of permissions (644), if required.
The latest Zimperium Stagefright Detector app, updated today, returns "not vulnerable" to the (as of today) seven known security vulnerabilities of stagefright.
Click to expand...
Click to collapse
Works like a charm... until the next hole is discovered.
chdloc said:
I just pushed the files to my device running stock 5.1.1 and it boots fine. I do not not have any information on whether the patch actually does what it is supposed to do or whether the new libs result in breakage somewhere else.
Click to expand...
Click to collapse
Thanks so much for doing this! I've unzipped these to Dirty Unicorns OFFICIAL-v9.5 (5.1.1) and things appear to be booting/running OK. Zimperium detector also says everything is now good.
I am on rooted nexus 5, version 5.1.1
By manually pushing it do you mean through custom recovery or for example by using flashify app to flash the file, or directly copy pasting it?
And by adjusting permission if required, can you explain how that is done?
Thank you
+1
Are they the same patches for 4.4.4?
persianrisk said:
I am on rooted nexus 5, version 5.1.1
By manually pushing it do you mean through custom recovery or for example by using flashify app to flash the file, or directly copy pasting it?
And by adjusting permission if required, can you explain how that is done?
Thank you
Click to expand...
Click to collapse
To be safe, backup your device before proceeding.
By "pushing files to phone" I mean unpack the archive attached to the third post in this thread and manually copy the resulting files to your device by either using
adb push [...]
or (assuming you use Windows on your host machine)
Explorer
to copy all files to the "sdcard" on your phone.
Then use a file explorer on your phone, such as Root Explorer, to copy the files into place, i.e. /system/lib/
To adjust permissions, again, use the file explorer on your device to verify the "permissions" property of each of the new files. If you don't see rw-r--r, or 644, adjust the permissions appropriately.
Anderson2 said:
+1
Are they the same patches for 4.4.4?
Click to expand...
Click to collapse
No, the patched files posted in the third post of this thread were built on Android (AOSP) 5.1.1. They will not work on KitKat.
Are there similar patched files for 4.4.4?
Anderson2 said:
Are there similar patched files for 4.4.4?
Click to expand...
Click to collapse
Unless patches are forthcoming from Google, I don't think there will be. KK development is essentially dead.
Thank you very much. I followed your steps (used Root Explorer as ES File Manager did not work).
When I run Stage fright detector App by Zimperium INC. and the one by Michael Kohl it says that I am not vulnerable.
But, when I run the one by LookOut Security says I am vulnerable. Any thoughts?
OK, I guess I will move to 5.1.1. May sound easy to pros like you but it's a scary step to users like me. ?

Community Project: New Stock OS

This project is for both LG Phoenix 4 users and all Aristo 2 users. Feel free to collaborate.
ABOUT:
This is a new idea that I had to make a universal Micro Stock OS. The OS's will be stripped down to the bare minimum to let both the Phoenix 4 and Aristo 2 users have a ROM with as much space and customization as possible. This is kind've like my AR-OS where I De-Odexed, De-Bloated, and Optimized the entire system. The only difference it will be build entirely upon the user.
HOW TO CONTRIBUTE:
Leave a post about what you were able to remove from the Pure Stock LG OS, without getting issues. (Make sure you backup your device before doing this though). When I see the input I will start updating this page to add more elements to it. When all is done and well, we will work on the customization part. Anyone who has suggestion on things such as "Stock Home Screen", you are welcome to post them in detail.
ADVANCED CONTRIBUTIONS:
For those of you who know how to modify the System OS a little better I will be needing help removing all of LG's Junk Licences and pulling just the Raw material from the OS or the building blocks for a GitHub page.
Thanks to everyone who will help!
I have the lg k8+ 2018 (lg aristo 2 us cellular model) I would like one without the root detection that slows down your phone and rooted with magisk . Also maybe a customizable ui
Working on 2 new rooted Oreo ROMs
I wanted to let everyone know that I am currently working on 2 new rooted Oreo ROMs.
Both are based on the latest available LG firmware for the given phone.
#1 is a new ROM for the Aristo 2 (Metro by T-Mobile), based on firmware 20g.
#2 is a new ROM for the K8 plus (US Cellular), based on firmware 20c.
These ROMs both feature:
Installation of the latest available TWRP, paired with LG's latest kernel to insure compatibility.
Pre-rooting of the boot image using the latest available Magisk.
Additional mods to the boot image to facillitate removal of LG's Root Checking Tool.
Pre-installation removal of existing encrypted partitions and associated encryption keys.
Removal of the possibility of encryption being forced on any user partitions via modification of multiple fstab files.
Removal of LG's performance degrading Root Checking Tool and it's defined service.
New modifications to the system image that are now required to successfully boot the altered system.
Removal of unneeded vendor software that can be removed without issues, freeing up additional storage.
Installation of useful root related utilities that add additional functionality to your phone.
Preservation of existing user installed apps.
Automatic alteration of system settings necessary for seamless functionality of the ROM when possible.
Mods to the vendor image that reliably prevent android system updates from being forced to the phone. This is very necessary, as all LG system updates are now very destructive, resulting in bricking of the phone.
I am looking for anyone willing to test these new images.
Just reply to this post and I will PM you.
Thanks.
I have a lg phoenix 4 (LM-X210APM) from AT&T, but it is not updated because I'm from Venezuela, is there a method to force the updates of that phone?
tecknight said:
I wanted to let everyone know that I am currently working on 2 new rooted Oreo ROMs.
Both are based on the latest available LG firmware for the given phone.
#1 is a new ROM for the Aristo 2 (Metro by T-Mobile), based on firmware 20g.
#2 is a new ROM for the K8 plus (US Cellular), based on firmware 20c.
These ROMs both feature:
Installation of the latest available TWRP, paired with LG's latest kernel to insure compatibility.
Additional mods to the boot image to facillitate removal of LG's Root Checking Tool.
Removal of the possibility of encryption being forced on any user partitions via modification of multiple fstab files.
New modifications to the system image that are now required to successfully boot the altered system.
Installation of useful root related utilities that add additional functionality to your phone.
Automatic alteration of system settings necessary for seamless functionality of the ROM when possible.
Mods to the vendor image that reliably prevent android system updates from being forced to the phone. This is very necessary, as all LG system updates are now very destructive, resulting in bricking of the phone.
I am looking for anyone willing to test these new images.
Just reply to this post and I will PM you.
Thanks.
Click to expand...
Click to collapse
I've a K8+ 2018 I'd be willing to test on.
Have Phoenix 4
I have an att Phoenix 4 I'd be willing to test this on. I just have to root first xD
I would also be willing to try out rom 1
I have the Aristo 2 Plus by mobile. If i cam helped.
I removed a bunch id have to take screen shot
In on rooted nougat can i have the link to the rooted oreo
Yeh I'll test the aristo 2 plus

[KERNEL][MIUI] PWn3R-K3RN3L GLOBAL SafetyNet Bypass Updated: 3/17/2020

I started working on this almost 8 months ago. Originally (and possibly at some point in the future) my goal was to provide a slightly modified kernel from the source code Xiaomi releases on Github for MIUI that is modified to allow CN or other hardware to boot with the Global ROM and pass a SafetyNet check. Ultimately, I had given up on this endeavor because I was able to accomplish that using the Magisk module I created and posted here. Due to needing to have a device that was not rooted (running it for work with both personal and work SIM, and Airwatch detects Magisk no matter what I do), I came full circle.
Due to a design decision made by Google, I have found it is possible to make the androidboot.verifiedbootstate show up in a manner that is perceived by Google as "green" without triggering the bootloop code that is included in the system services that Xiaomi is running. To that end, I am posting an AnyKernel3 file here with the stock Global 10.3.2.0 ROM kernel, configured in such a manner as to bypass SafetyNet checks.
I only have one device to test this with, so hopefully it works for you too.
Edit: The patcher version should work on most versions of anything MIUI. It does not contain a kernel, it simply patches the CMDLINE to make it pass SafetyNet.
Standard Disclaimer: I have tested this, and it's a stock kernel, just with modifications to the kernel boot cmdline. I am not responsible if your device bursts into flames, fails to alarm clock and you are late for work, sends inflamatory SMS messages to Kim Jun Un, etc.
Patcher V2: Updated with AnyKernel3 changes:
Download V2
NOTE: I was not able to get my device to allow Google Pay with this. I believe Google is doing even more stringent checking now. If others want to test and report back, please do. This sets androidboot.verifiedbootstate=green now, and sets the ro.boot.hwc to GLOBAL and ro.boot.hwcountry to GLOBAL to avoid the bootloop in Xiaomi's services.
Generalized version:
Download Patcher
10.3.2.0 Specific:
Download
Edit: I was just messaged via Github by someone from Xiaomi that they are aware the source no longer works. They provided patches that *should* fix it. If that ends up working out, my intent is to provide a compiled from source version, possibly with some optimizations, and certainly using Linaro.
The patcher version linked above does not contain a kernel image. It just patches the cmdline and should work on all Xiaomi ROMS, atleast for the Mix 3. I have not tested it outside of the global ROM. I spent about 25 hours in the last two weeks working to try to backport the patches that were suggested as fixes to get the kernel to boot, but it is not done yet.
Updated Patcher above. I believe the new attestation api changes are stopping anything like this from working.
is it support miui 12 eu now ?
thx

How to apply Android Security Patches to a Custom Rom?

Hi everyone,
I've used Android-based custom roms for years on many of my devices. Now, I am only able to find one old Lineage OS 14 build for a rare, old tablet that I have.
The Android version is not a huge issue, as many Apps still support 7 and lower and the system itself runs reasonably well. However, the latest security patches are still from 2018.
The way I understand it, Google/AOSP publishes some sort of security update packages in regular intervals.
Is there an easy way to appy those patches to the rom that I have? Reinstalling the system is no problem and I can do some simple troubleshooting, but I'm probably not able to recompile the entire build, if that is necessary.
Unfortunately, since every custom rom has some "Security update" info, it's extremely hard to find any explanations of how to actually apply those patches, at least I couldn't find any.
Fell free to just send me a link if there is any sort of guide on how to accomplish this.
Thanks a lot!
NovusDeus said:
Hi everyone,
I've used Android-based custom roms for years on many of my devices. Now, I am only able to find one old Lineage OS 14 build for a rare, old tablet that I have.
The Android version is not a huge issue, as many Apps still support 7 and lower and the system itself runs reasonably well. However, the latest security patches are still from 2018.
The way I understand it, Google/AOSP publishes some sort of security update packages in regular intervals.
Is there an easy way to appy those patches to the rom that I have? Reinstalling the system is no problem and I can do some simple troubleshooting, but I'm probably not able to recompile the entire build, if that is necessary.
Unfortunately, since every custom rom has some "Security update" info, it's extremely hard to find any explanations of how to actually apply those patches, at least I couldn't find any.
Fell free to just send me a link if there is any sort of guide on how to accomplish this.
Thanks a lot!
Click to expand...
Click to collapse
You have two problems here.
First: Google does NOT publish security patches for every Android version forever. After some time (3 years i think) is that Version deprecated and does not become patches from Google.
Second: those patches are not in form of a "ready-to-install" software. They are source code patches. You can see them as something like _r67 after the Android Version. So you or someone else must build them.
For a recent, supported ROM like LineageOS 18.1 the ROM developer does this for you. You get it when you update Lineage.
For Android 7, which deprecated long ago, someone has to port this patch. It's not possible for every patch and if it is possible, nobody does it because it's a lot of work.
Short version: if there is no ROM based on Android 10 or 11 for your device you have to live without patches :-(
Hope that helps.
Well, yes and no.
But thanks for clarifying. I hoped there was a way to install those easily.
Do you happen to know if, hypothetically, I even had any chance to patch my rom with just the flashable zip or am I missing some crucial source files?
You can download the sources of Lineage OS 14, patch them, compile them, install them and you have all the security fixes.
As said. This is a lot of work and requires good amount of knowledge. With that time and energy you could port Lineage OS 17 for your tablet instead.

General (OPEN DEV) BruteRoot - A collection of Root Tactics (Possibly Force Bootloader unlock on NA Samsung S22?)

Devices & Linux Versions I or other Testers have Successfully Gained Root on:
(Likely All) MTK CPU Based Android devices UP TO 11 (Maybe 12? I haven't tested) (I.e LG, Sony, Select Samsung devices)
Android Devices with LINUX KERNEL VERSIONS - 5.8 - 4.14 - Maybe More? (Needs Testing)
-THIS GUIDE IS NOT BEGINNER FRIENDLY - BASIC UNDERSTANDING OF PYTHON, UNIX/LINUX ETC WILL BE REQUIRED!-​
If you have been holding off updating your device, well here's some good news, your device may still be vulnerable to a method to gain root access (and subsequently, possibly the ability to edit Build.prop and therefore allow the ability for OEM unlocking on USA based devices.) <- correct me if I'm wrong, but this should be possible, and once done, should persist across updates, correct?
As of the time of writing this, there is not currently a simplified APK method, but, still this process is relatively straight forward.
Alot of the methods used HAVE been patched from what I understand, but there have got to be plenty of devices out there still which are not updated. This project aims to compile all current, former and future Root methods into an APK that will do all the leg-work. If its able to find a working method, the GUI will pop a root shell for the end user. This SHOULD work, regardless of the setting of the "OEM UNLOCK" option in the dev options. A bypass, essentially.
Regardless, The project linked below uses a myriad of known exploits & vulnerabilities and looks to find one that will work.
Methods used are:
Nearly all of GTFOBins
Writeable docker.sock
CVE-2022-0847 (Dirty pipe)
CVE-2021-4034 (pwnkit)
CVE-2021-3560
It'll exploit most sudo privileges listed in GTFOBins to pop a root shell, as well as exploiting issues like a writable docker.sock, or the recent dirty pipe (CVE-2022-0847). More methods to root will be added over time too.
There is also an alternative (Dirty Pipe) injection method the uses @topjohnwu 's Magisk , this should be implemented into the apk. See this Github repo, Here.
I would imagine this could be implented in a way to target devices that have stopped being supported for updates, aswell, that do not have TWRP, such as the SM-T307U.
One big note - I am betting there are still ALOT of devices that are in inventory at retailers that remain on the vulnerable OS. So keeping that in mind, I'd say this is worth building.
What needs to be done:
TESTING!
Build APK - HELP NEEDED WITH THIS!
Deploy
Main Goals:
Get bootloader unlock ability for devices normally not unlockable (I.e North American Samsung Galaxy S22, Etc)
Above can be achieved by getting temp root via methods detailed here or otherwise, then editing build.prop, altering the below settings (The settings may be worded differently or simply not present at all, depending on device and Firmware version):
sys.oem_unlocking_allowed to 1
ro.oem_unlock_supported to 1 (most devices are set to 1 by default.)
ro.boot.flash.locked to 0
ro.secure to 0
ro.debuggable to 1
I think there may be one or two more that pretaint to Flash.locked. I.e flash.locked.other--or something very close.
Locally, gain temp root (System preferred, but any root will do.) on as many device types as possible.
Give device control back to end user.
Stay up-to-date on new exploits for root access & update apk accordingly.
STAY ETHICAL!!!! This is, in the end, a research project. Meaning all work preformed in the context of this project could result in a damaged or bricked device. By participating in this project you acknoledge these risks and accept them, and agree to not hold me, XDA, or anyone else responsible if you do some dumb ****. - k0mraid3
Github Project link: HERE for my fork & HERE for the original project.
My fork will incorporate the original project, as well as other found root access methods, such as the magisk injection method mentioned above - my repo is mainly used as a hub for the APK's dev - i don't have enough time to work on it at the moment but all are welcome to help.
July 15th 2022 (UPDATE) (SAMSUNG DEVICES ONLY): A new Escalation method has been found via the Galaxy app store (Versions BEFORE Galaxy Store 4.5.41.8). No details known yet, but it is said to be very easy. See CVE-2022-33708 (July132022). Unknown if downgrading the app to 4.5.0.0 will enable the method again or not.
Cred: liamg
One method to run Traitor on device - Thanks @DevinDking for sharing this.
Steps to get script on phone.
//
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
$adb push traitor ${dir} //This puts file on phone make sure to run the terminal where its located
$adb shell chmod 755 ${dir}/traitor"
//
Now to run script start a new terminal
//
adb shell
#!/bin/sh
set -e
dir=/data/local/tmp
adb=${adb:-"adb"}
${dir}/traitor //script opens
//
But I assume this wouldn't work right, and isn't right.
Idk trying my best here xD
Click to expand...
Click to collapse
Tools & References:
Linux (and Android, FTMP) Privilege Escalation Techniques
Dirty Pipe - Magisk Injection
Traitor - Main Repo
GTFOBins
CVE Database (Public Database for exploits, vulnerabilities, etc.)
Windows Subsystem For Linux (Great for Dev)
ADB App Control - Cred @Cyber.Cat
Leaked Samsung Source Code ***Mod Edit: Link Removed***
Crontab Root Template script (File Attached - you still must edit crontab with "crontab -e" and point it to this file, see comments for guide, I will add one to post later)
Android Image Kitchen Used to create custom image's etc.
MTK Client
MTK Meta Utility (Source-???)
Will add more as time goes on and more found.
Interesting Attack vectors -
GFX Componets of a system.
Issues with Linux itself (i.e Dirty Pipe)
Privilage escalation via any means (I.e GTFOBins)
unprotected system process - Hijack them if possible (i.e RILService Mode, and a wide range of other OEM apps left on devices after ship)
7/24/22 - Samsung, LG & Other OEM's obfuscating (Intentionally Hiding) Fastboot and ADB Bootloader interfaces on PC
So over the last week or so i dived head first into USB Dev - ill save you the time and sum it up.
Vendors and OEM's are actively obfuscating the USB connection between your smartphone and the PC to keep you from Rooting. As far as im aware, there is no Universal way to fix this as each OEM screws with the USB drivers differently. THIS needs to be a point of focus for the rooting community. However, i have found a few tools for Dev if you wish to screw with this. (I'll upload them tonight)
7/24/22 - MTK (MediaTek) based Exploits
I Will try to compile a few methods for FORCING Bootloader Unlock on MTK based Devices as well as a way for manipulating said devices. I will attach two tools to this thread, these tools are EXTREMELY POWERFUL and can completely **** up your device. When i say REALLY F*CK UP your device, I mean to the point you cant even access recovery, Download OR bootloader mode. I'm Talking a blank DEAD device. So use with caution.
With that said, lets talk about the tools. You will need a basic understanding of Python to make use of MTK Client
First up, we have MTK Meta Utility (Currently Version 44) (Download Below)
Next we have MTK Client (Github Link)
So what can you do? Well, you can crash the Preloader to Brom with MTK Meta Utility while at the same time using MTK Client to send any payload you like to the device via Fastboot.
I know, vague right now, but ill add detail over the coming days.
I will continue to update the below list as new methods are discovered.
If you find Guides, tutorials or new exploits, please link them in the comments so I can include them in future development!
Telegram Channel: Here.
Information on Vulnerabilities, exploits & methods - CVE-2022-0847 (Jfrog) - The Story Of "Dirty Pipe" - XDA - Dirty Pipe - PWNKIT (CVE--2021-4034) - CVE-2021-3560 - Docker Breakout / Privilege Escalation - CVE-2022-33708 (July132022) - CVE-2022-33701 (July122022) - CVE-2022-22268 (Unlock Knox Guard with DEX) (JAN2022) - MTK Client -
Dev Team & credit to -
@topjohnwu - LiamG - @wr3cckl3ss1 - bkerler -
UPDATED - 7/29/22
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Don't update... destroyer of worlds
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Lol, everybody already updated the patch
blackhawk said:
Lol, everybody already updated the patch
Click to expand...
Click to collapse
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
sierratango88 said:
There is also a new vulnerability exploit by Zhenpeng Lin that allows for privilege escalation on Pixel 6 and and Galaxy S22 devices running 5.10 kernel.
Click to expand...
Click to collapse
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
olivehue512 said:
I feel like I'm missing something because wouldn't their normally be a million responses of hype, hope and nay-saying going on here? Has this been shot down already?
Click to expand...
Click to collapse
Well, because they are known and accepted vulnerabilities and exploits. A very few have even been marked as "WONTFIX" such as the TTY method.
olivehue512 said:
This is just sad panda. I'm gonna skip next update anyways unless it comes with an actual other phone that is BL unlocked. I feel like everyone wants this so bad it can't be that far out before it happens.
Does the Magisk injection method work after July patch? I was reading through the work they did to get it done. Props to those guys.
Click to expand...
Click to collapse
Honestly, it's worth a shot but I doubt it.
One of the goals behind building the APK compilation of all these different tactics is to enable the end user to "give it a shot" easily on different devices, without having to know how to run all of this manually. Basically imagine an apk that just tries all the above methods and if ones successful the gui will pop a root shell open. From there, the possibilities are endless. Edit Build.prop, SELinux, Verity, Etc.
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
K0mraid3 said:
Has it got a fancy number yet?! Eager to try this!!!! Maybe it can be put in with the others.
Click to expand...
Click to collapse
There hasn't been a CVE assigned to it yet that I am aware of.
xgerryx said:
FYI even you applied the July update, seems like the Kernel version is still from June 21st, is still 5.10xxxx so we could still benefit from this exploit. Very interested in how we can get root here in the US.
Click to expand...
Click to collapse
Go to the Github linked and try the different methods, see if you can pop a root and nano build.prop to allow OEM unlocking?
sierratango88 said:
There hasn't been a CVE assigned to it yet that I am aware of.
Click to expand...
Click to collapse
GREAT news for us! LEts get this temp root! lol
Looks like another new one! CVE-2022-33708
Another Samsung Exclusive - CVE-2022-33701
So, ive just spent my entire friday and friday night MANUALLY testing all the GTFOBins & reproducing some of the newer CVE's on Samsung Galaxy S7 Edge (Android 9) -Galaxy tab A 8.4, (Android 11), Galaxy S21 & S22 (Android 12) --- A little bit of progress made. Again, ill need someone with better working knowledge on APKs & Java to really move forward. All i can say so far, is this all must be awk for sammie, because cronie is looking promising
"crontab -e"
interesting find. not "New" but still new-ish enough some may be able to use. CVE-2022-22268 (Unlock Knox Guard with DEX)
New to this all but not rooting. Anyone recommend a way tutorial on how to try these methods on Win 11?
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
DevinDking said:
I don't have a deep understanding of Linux, I have tried, debian and unbuntu. I get traitor to run but it's detecting the Linux kernel and not my phones. How can I get the program to search for vulnerability on my phone not my Linux. I would love a more in depth guide and I'd love to give feedback on methods.
Click to expand...
Click to collapse
i had the same issue but cant remember how i worked that out. let me see if i can find out what i did on win11

Categories

Resources