Important Note
The information shown below has been deliberately thought to violate a safety mechanism used on Android. The ideas should only be used for beneficial, experimental and controlled uses and not to harm others privacy and security.
The information shown below has been deliberately thought to violate a safety mechanism used on Android. The ideas should only be used for beneficial, experimental and controlled uses and not to harm others privacy and security.
PROBLEM
A rooted phone (via root-genius) contains a non-authorized application that needs to grant su permissions. The phone has already been deployed and distributed, boxed and closed therefore no user’s touch is permitted to allow root authorization or VNC remote control. The superuser manager app is KingUser v3.4.8 64, so whenever the non-authorized app would try to do something with su permissions, a prompt asking the user to explicitly authorize the request will appear. We have never been on a scenario where this non-authorized app had to do something related to su commands, so it worked fine so far.
By now, because we are mandated to, we have to do some superuser operations remotely without user intervention from the non-authorized app. In order to accomplish this, we were trying to modify KingUser configuration files programmatically, since KU has a setting called Timeout Default Response (Deny / Authorize). This setting allows or denies respectively the request when the authorization prompt times out. Unfortunately we haven’t foreseen this before the project was launched and now, all the phones has this setting on DENY (moreover, they are already deployed on field). Despite we are able to modify KU’s configuration file, however a prompt appears requesting for authorization, and the user is not able to touch the screen.
Its not a simple problem to hack, we are aware of that. But under the current installation layout there could be something we are missing and maybe you guys can point it us out.
REWARD
REWARD
I will make a consistent donation whoever helps solving this complex problem and promote the hacking.
Environment:
We have installed root permissions on Android phones before leaving the company premises, via root genius tool. By doing so, the phones were installed with KingUser application. The phones also contain an application capable of running and performing scheduled tasks (aka App1). A second application located at /system/apps is capable of updating App1 (aka App2) connecting to a server and overriding App1. We have the sources of App1, but we do not have the sources of App2. Its a private domain and environment built for commercial use, not for hacking third party apps nor cellphones. (In fact, these phones are used as video screens, in kiosk mode).
Objective / Goal:
- We must find a way to elevate root permissions to the non-authorized App1. Please remember the phone is actually rooted with KingUser installed.
- We must skip any prompt the user should click in order to give permissions for the request. If necessary we should find a way to remotely “click” the authorization prompt.
What we need:
Currently we have App1 and App2 working as shown in the picture above. The plan is a new deploy of App1, which programmatically will issue a “su command” (getRuntime(“su -c”)). Once installed by App2, App1 would run, and the command would be executed. At this point we are okay, however we need to authorize the prompt of the KingUser programmatically without user intervention. Now this is challenging because of security constraints. Android is based on a security layout where the user has to physically touch any popup of any application that request to grant permissions either to elevate privileges or accept remote control.
Unfortunately we are not able to manually authorize an already distributed system to thousands of cellphones which mean a complete hassle since the phones are closed in a box that would have to be opened to do so.
Possible Approaches:
- Installing a remote desktop client when updating non-authorized App1. By doing so, we would be able to click remotely the authorization prompt once the su command is issued by itself.
- Any other way to “remotely click” the authorized prompt. We have tried injecting touch events via Java instrumentation or adb.
- Any other way to modify KingUser configuration files and database from a non-authorized App without facing this authorization prompt (for us is almost impossible).
- Any other way of injecting code via App1. For example replacing the apk installed as App1 and run a script via reflection. Bare in mind App2 installs App1 programmatically and is located on /system/app a privilege location to run elevated commands.
- Any other way of exploiting know vulnerabilities such as WebView injecting Javascript. Downloading contents of the SD card and the exploited application's (in our case App1) data directory extending to obtaining root privileges. Bare in mind our Android deployed versions are 4.1.2 and 4.2.2 and the vulnerability is there, API less or equal than 17.
RESEARCH DONE
Remote Control and VNC
Remote control on Android is possible, can be achieved using a VNC Server either included into the sources of App1 or else started via command line and initialization. The big constrain being unrooted and without user intervention. We have made tests with an unrooted professional solution like TeamViewer QuickSupport that implemented with a very nice Android SDK for running unattended. Its ideal because solves any firewall vnc port block specially dealing with 3G, however the moment the connection is being established from a PC a popup is prompted to the user asking to Allow the remote control connection. I called TeamViewer support and confirmed this prompt is a policy that cannot be skipped.
In order to check the real functionality we also made a test with rooted droid-VNC-Server connecting to an SSH Server via Connectbot establishing a tunnel to port forward 5900 port. It works well and guarantees the communication. Ultimately merging the source of the bot into App1 should be feasible.
Steps:
- Start droid-VNC at port 5900.
- Connect to your ssh remote server with connectbot.
- Goto Port Forwards an set Type: Remote, Source 5901, Destination localhost:5901.
- At your server start a vnc client and target localhost.
Trying to replicate the just mentioned scenario but without root I made a test with older android-vnc-server and fastdroid-vnc. Both are executable libraries that I have been trying to run on my App1 environment with Java runtime code.
Code:
getRuntime("/data/data/com.package/nativeFolder/fastdroid-vnc");VMLite: A third option could be using VMLite which is the only unrooted server that can efficiently VNC Android devices. I am currently in conversation with the authors figuring our a way how to install a version unattended by the user.
Injecting a touch event at (x,y) coordinate to Authorize.
The problem we are facing is that the KingUser authorization dialog is not running within our App1 application scope. Therefore is a third party application for us as any other application on the OS. Typically the result is “Injecting to another application requires INJECT_EVENTS permission”. There is a lot of information how to inject a touch event, unfortunately all of them require either root permission or second level permission. In case the ROM is custom I could sign the apk with the built certificates and then I would be able to trigger touch events however these are non-custom and don't have the OEM certificates.
Injecting code via background installation reflection:
As mentioned on the Environment, App2 located on /system/app (and closed source) is capable of updating App1. App2 connects to a webservice, download a new version and by means of reflection method installs App1 in the background and in silent mode like Android-InstallInBackgroundSample. Going deeper into the installation method there is a security window we can exploit. This is the method.
Code:
method.invoke(pm, new Object[] {apkFile, observer, INSTALL_REPLACE_EXISTING, null});Exploit injection via know Android vulnerability:
There are known vulnerabilities on Android that we can take advantage of, for example the known WebView Javascript vulnerability can allow us to exploit a rooted code we can deliberately run on our App1. Bare in mind we have the source of App1 and we compiled it. We can force the method
Code:
addJavascriptInterface (Object object, String name)King User Configuration File Hack:
We have studied KingUser quite a lot. Our main plan (in order to achieve a modification on the KU’s prompt default action) was to modify any KU configuration file, so we could be able to change this behavior programmatically. We were successful on this task, since we found that overriding these files would allow any application to be authorized to perform su operations (when countdown is finished). We are though enabling this feature to the current deploys locally. Below are a screenshot of the KU data folder:
Hack when KingUser Version is 3.4.5:
In the picture I ran a cat command on the file “RootManagerSetting.xml”. The red circle shows that the PermissionTimeoutResponse is to “1”, which means that when the prompt’s countdown expires, it will authorize any application asking for “su” permissions. Unfortunately our already deployed phones are configured with this feature in DENY mode (so this value would be seen as “0” if “catted”). Our non-authorized app (App1) is already capable of editing this value programmatically, and thus, changing the default KU behavior.
Hack when KingUser Version is 3.4.8:
In KU 3.4.8, is pretty similar than 3.4.5. The difference is that the line to be edited is in shared_prefs.txt, as shown below. Nevertheless, the value “1” still mean “AUTHORIZE” as default behavior, and value “0” DENY default behavior.
The problem with this approach is that the early fact of editing these files from a non-authorized app (App1) programmatically throws a KU prompt asking the user for permissions to edit the configuration file. In this case we are not able to authorize this attempt, because the user has no physical access to the phone. Hence, we cannot modify the prompt default timeout behaviour. Maybe combining this approach with a remote desktop one, we could remotely “click” on the very first prompt (when attempting to change these files). But we couldn’t work this out yet. Any suggestions are welcome.
CELLPHONES DETAILS
We are working on two cell phones: LG D680 (aka Optimus Pro Lite) and HUAWEI ASCEND G7 (G730). Below are the specs of both phones.
HUAWEI G730 (from http://www.gsmarena.com/huawei_ascend_g730-6290.php):
LG D680 (from http://www.gsmarena.com/lg_g_pro_lite-5772.php):
