Potential root avenues
365 views
Skip to first unread message
Dana C.
Nov 16, 2020, 12:26:40 PM11/16/20
to comp.mobile.nokia.8110
I came across this posting regarding security vulnerabilities in several apps - maybe these can be used to gain root access on devices without other known ways to gain root?
HTML can be injected into:
Email
Contacts
File Manager
Recorder
Notes
FM Radio
I don't know enough to implement an attack for this but thought somebody here could use this (personally, I'm hoping it helps someone crack the Smartflip phones, but that's beside the point :-P)
Dana C.
Nov 16, 2020, 12:35:10 PM11/16/20
to comp.mobile.nokia.8110
After reading more closely, the file manager seems most likely to be useful, though KaiOS was made aware of this in 2019 and published a fix - though OEMs may not have pushed the fix. Looks like builds older than August 2019 should still be vulnerable.
Affe null
Nov 17, 2020, 12:01:03 PM11/17/20
to comp.mobile.nokia.8110
This is great news! I have just tested injecting JS on my Nokia 8110
4G and it works. My phone has GerdaOS so I couldn't check if it is
possible to jailbreak.
However,
- The Email app has 'power' permissions, which are needed for
privileged factory reset
- The Notes app has 'webapps-manage' permissions, which allow you to
install apps
so it may be possible to do a jailbreak and then install rooting apps.
A guide and a script can be found here:
https://gitlab.com/affenull2345/kaios-inject-scripts
> --
> You received this message because you are subscribed to the Google Groups
> "comp.mobile.nokia.8110" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bananahacker...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bananahackers/dd99da6d-f36c-4c33-94ff-ec959bbe7f46n%40googlegroups.com.
>
4G and it works. My phone has GerdaOS so I couldn't check if it is
possible to jailbreak.
However,
- The Email app has 'power' permissions, which are needed for
privileged factory reset
- The Notes app has 'webapps-manage' permissions, which allow you to
install apps
so it may be possible to do a jailbreak and then install rooting apps.
A guide and a script can be found here:
https://gitlab.com/affenull2345/kaios-inject-scripts
> You received this message because you are subscribed to the Google Groups
> "comp.mobile.nokia.8110" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bananahacker...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bananahackers/dd99da6d-f36c-4c33-94ff-ec959bbe7f46n%40googlegroups.com.
>
Dana C.
Nov 17, 2020, 2:11:16 PM11/17/20
to comp.mobile.nokia.8110
Excellent!
I'm trying to see if it works here on version 2.5.2 (built August 22, 2019) - I suspect this might be the first build that fixes these :-(
For the email Factory Privileged Reset, are the account label and the "Account Name" the same thing? It looks like they may have limited the number of characters you can put into this field. I can only get to the "nav" in "navigator" and then it always automatically deletes the next character.
The Notes app may now santize the input. Is the omniSD package you refer to downloading the .zip file? I entered the HTML but nothing happens. I tried hitting "Save". Are there any other actions needed?
Affe null
Nov 17, 2020, 2:47:28 PM11/17/20
to banana...@googlegroups.com
On my phone, there is no 'Account name' field and the 'Account label' field has no length limit. After entering the HTML (in both apps), the 'save' key must be pressed (not 'back', that was a mistake). Here are some possible scenarios of what could happen then:
1. The input is not sanitized. A frame or cut off rectangle appears and the JS is executed.
2. The input is treated as text. The HTML tags appear in the title/preview.
3. The tags are stripped off. Only a small part of the HTML is visible.
You could also try using src="data:,alert(`x`)" instead of the src attribute with navigator.mozPower to test a shorter script (those symbols surrounding the x are back ticks). The letter x should pop up after hitting save.
1. The input is not sanitized. A frame or cut off rectangle appears and the JS is executed.
2. The input is treated as text. The HTML tags appear in the title/preview.
3. The tags are stripped off. Only a small part of the HTML is visible.
You could also try using src="data:,alert(`x`)" instead of the src attribute with navigator.mozPower to test a shorter script (those symbols surrounding the x are back ticks). The letter x should pop up after hitting save.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/a69e763d-3b48-478f-b171-44045d2ba188n%40googlegroups.com.
Dana C.
Nov 17, 2020, 4:16:51 PM11/17/20
to comp.mobile.nokia.8110
The src="data:,alert(`x`)" script was still too long, but I did manage to enter an incomplete version:
<iframe srcdoc='<script src="data:,alert(`x`)">'>
(apologies if the above doesn't show correctly)
which resulted in a strange broken listing on the accounts screen:
The same alert script didn't do anything in the Notes app either after pressing "Save", it looks like that has been fixed in my build.
Dana C.
Nov 17, 2020, 4:22:46 PM11/17/20
to comp.mobile.nokia.8110
To add, the incomplete/broken script in my previous post is only one character shy of the limit in the Account Name field.
Affe null
Nov 18, 2020, 8:31:45 AM11/18/20
to banana...@googlegroups.com
That frame in the listing is the iframe from the HTML. The script doesn't work because the <script> tag must have a matching </script> tag, unlike <iframe>.
Can you see a cut off frame in the listing in the Notes app?
Dana C. wrote:
Can you see a cut off frame in the listing in the Notes app?
Dana C. wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/7ba0a2b7-6896-4e70-95d4-1bbfe0c76511n%40googlegroups.com.
Dana C.
Nov 18, 2020, 11:49:46 AM11/18/20
to comp.mobile.nokia.8110
That makes sense. I just tried to get it short enough to get some sort of reaction out of it given the short field length.
The Notes app doesn't seem to evaluate the HTML at all, it just displays it like normal text, in both the list of notes and the individual note display.
Affe null
Nov 18, 2020, 2:10:37 PM11/18/20
to banana...@googlegroups.com
This means that you can't install your own apps, unless there are any other vulnerabilities in user-accessible apps which have the webapps-manage permission. It may be that the permissions are different in your version, so you may try pulling your /system/b2g/webapps folder and do
grep -Ero 'power|webapps-manage' .
in the pulled folder in the terminal (you need some sort of Unix-based system for that). It should list apps that have the 'power' or 'webapps-manage' permissions.
Also, there is another trick (it may have ben fixed away) that might let you do at least a privileged factory reset:
1. Create a recording in the 'recorder' app
2. Give it some name
3. Rename it to include the HTML that does a privileged factory reset in its name
4. Select 'add to music library' from the menu
5. Select 'compose' in the Email app
6. Add an attachment from 'music' - it is called music_<iframe srcdoc...
7. The JS should execute and ask you if you want to do a privileged factory reset
Dana C. wrote:
grep -Ero 'power|webapps-manage' .
in the pulled folder in the terminal (you need some sort of Unix-based system for that). It should list apps that have the 'power' or 'webapps-manage' permissions.
Also, there is another trick (it may have ben fixed away) that might let you do at least a privileged factory reset:
1. Create a recording in the 'recorder' app
2. Give it some name
3. Rename it to include the HTML that does a privileged factory reset in its name
4. Select 'add to music library' from the menu
5. Select 'compose' in the Email app
6. Add an attachment from 'music' - it is called music_<iframe srcdoc...
7. The JS should execute and ask you if you want to do a privileged factory reset
Dana C. wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/47d983e0-c598-4e1f-add0-e2e2665e5077n%40googlegroups.com.
Dana C.
Nov 18, 2020, 4:07:54 PM11/18/20
to comp.mobile.nokia.8110
Thanks for your help. I tried your recorder app -> email trick, and they don't allow special characters in the rename field, either there or in the file manager.
I'll try to see if any other apps have useful permissions. I'm starting to think I might be SOL with this particular device though.
Affe null
Nov 21, 2020, 4:43:18 AM11/21/20
to comp.mobile.nokia.8110
I have found another vulnerability. It is in the Calendar app and lets
you set device settings, including hidden ones (Call recording) and
the debugging mode.
See https://gitlab.com/affenull2345/kaios-inject-scripts (Alternative
Method) for more information.
>>>> The src="data:,alert(`x`)" script was *still* too long, but I did
>>> https://groups.google.com/d/msgid/bananahackers/7ba0a2b7-6896-4e70-95d4-1bbfe0c76511n%40googlegroups.com
>>> .
>> .
>
you set device settings, including hidden ones (Call recording) and
the debugging mode.
See https://gitlab.com/affenull2345/kaios-inject-scripts (Alternative
Method) for more information.
>>> .
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>>
>> "comp.mobile.nokia.8110" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>>
>> email to bananahacker...@googlegroups.com.
>>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/bananahackers/47d983e0-c598-4e1f-add0-e2e2665e5077n%40googlegroups.com
>>> --
>> You received this message because you are subscribed to the Google Groups
>>
>> "comp.mobile.nokia.8110" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>>
>> email to bananahacker...@googlegroups.com.
>>
>> To view this discussion on the web visit
>> .
>>
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "comp.mobile.nokia.8110" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bananahacker...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/bananahackers/01873672-9921-47bd-b3a6-47085df47d5bn%40googlegroups.com.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "comp.mobile.nokia.8110" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bananahacker...@googlegroups.com.
> To view this discussion on the web visit
>
Dana C.
Nov 21, 2020, 11:43:51 AM11/21/20
to comp.mobile.nokia.8110
Looks like they limited the calendar event name field in 2.5.2 to 101 characters, but it does do the alert trick, so it still evaluates a script. If we had a shorter URL it would probably work XD. Is it possible to save and access the script via the downloads folder? That might need fewer characters than spelling out the whole URL. What menu does this bring up? The same one W2D does?
.//search.gaiamobile.org/manifest.webapp:webapps-manage
.//testbox.gaiamobile.org/manifest.webapp:webapps-manage
Here's the list of apps that have power and webapps-manage on 2.5.2, at least on this phone:
.//testbox.gaiamobile.org/manifest.webapp:webapps-manage
power
power
.//operatorvariant.gaiamobile.org/manifest.webapp:webapps-manage
.//filemanager.gaiamobile.org/manifest.webapp:webapps-manage
.//sms.gaiamobile.org/manifest.webapp:webapps-manage
.//notes.gaiamobile.org/manifest.webapp:webapps-manage
.//contact.gaiamobile.org/manifest.webapp:webapps-manage
.//mmitest.gaiamobile.org/manifest.webapp:power
.//settings.gaiamobile.org/manifest.webapp:webapps-manage
power
.//email.gaiamobile.org/manifest.webapp:power
.//antitheft.gaiamobile.org/manifest.webapp:power
.//callscreen.gaiamobile.org/manifest.webapp:power
.//launcher.gaiamobile.org/manifest.webapp:webapps-manage
power
.//operatorvariant.gaiamobile.org/manifest.webapp:webapps-manage
.//filemanager.gaiamobile.org/manifest.webapp:webapps-manage
.//sms.gaiamobile.org/manifest.webapp:webapps-manage
.//notes.gaiamobile.org/manifest.webapp:webapps-manage
.//contact.gaiamobile.org/manifest.webapp:webapps-manage
.//mmitest.gaiamobile.org/manifest.webapp:power
.//settings.gaiamobile.org/manifest.webapp:webapps-manage
power
.//email.gaiamobile.org/manifest.webapp:power
.//antitheft.gaiamobile.org/manifest.webapp:power
.//callscreen.gaiamobile.org/manifest.webapp:power
.//launcher.gaiamobile.org/manifest.webapp:webapps-manage
power
I'll explore some of these later and see if any have obvious text fields that can accept a script.
Affe null
Nov 21, 2020, 11:58:27 AM11/21/20
to comp.mobile.nokia.8110
I shortened the URL to 98 characters. It's now at
https://affenull2345.gitlab.io/kaios-inject-scripts/s.js
> https://groups.google.com/d/msgid/bananahackers/e2ca6ee0-1b17-45b6-a194-d9ea1785dc86n%40googlegroups.com.
>
https://affenull2345.gitlab.io/kaios-inject-scripts/s.js
>
Affe null
Nov 21, 2020, 12:04:49 PM11/21/20
to comp.mobile.nokia.8110
The script prompts for a 'device setting' name and value, it uses no
menus. There is an incomplete list of settings here:
https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Platform/Settings_list
. Call recording settings are listed on the BananaHackers call
recording page and the debugger setting is mentioned in the README
file.
BTW, what is the search.gaiamobile.org app?
menus. There is an incomplete list of settings here:
https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Platform/Settings_list
. Call recording settings are listed on the BananaHackers call
recording page and the debugger setting is mentioned in the README
file.
BTW, what is the search.gaiamobile.org app?
Dana C.
Nov 21, 2020, 6:52:51 PM11/21/20
to comp.mobile.nokia.8110
> BTW, what is the search.gaiamobile.org app?
It looks like it's just the browser, I think. Oh, I guess I also left off that list "system.gaiamobile.org" has both webapps-manage and power privileges, but I suppose that was obvious haha
Your shorter URL worked! Is there any comprehensive list of known settings and allowable values? I can turn on ADB-devtools but it still won't connect to webIDE.
Dana C.
Nov 21, 2020, 7:42:18 PM11/21/20
to comp.mobile.nokia.8110
oh whoops, I totally missed your link there! I'll check that out.
Dana C.
Nov 22, 2020, 11:24:41 AM11/22/20
to comp.mobile.nokia.8110
Is there any way to run an arbitrary app that isn't on the launcher screen?
That testbox.gaiamobile.org app listed above has a very suspiciously named rootUserMode.html file. In a commented-out line it references service.adb.root, which I think is disabled completely in adb, unfortunately. I set it to "1" and it didn't allow root access as far as I can tell. I can email you a zip file of the testbox app if you're curious.
There's also mmitest.gaiamobile.org which is interesting.
Neither of these are available in the launcher though, so we need to be able to launch an app without it being in the launcher.
Affe null
Nov 22, 2020, 2:54:04 PM11/22/20
to Banana Hackers
I've had a closer look at the testbox app on my phone, its manifest.webapp file lists rootUserMode.html as an activity named "internal-system-engineering-mode". This means that it's possible to open it from anywhere, even from a website using a trick similar to W2D:
new MozActivity({name:'internal-system-engineering-mode'});
That code opens a strange page with two buttons: 'user2root' and 'root2user'. I wanted to look at the code before clicking them, and also I am running GerdaOS which is permanently rooted.
new MozActivity({name:'internal-system-engineering-mode'});
That code opens a strange page with two buttons: 'user2root' and 'root2user'. I wanted to look at the code before clicking them, and also I am running GerdaOS which is permanently rooted.
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/04df91e5-e7fa-43c8-9d8e-ce13b8267339n%40googlegroups.com.
Affe null
Nov 22, 2020, 3:27:17 PM11/22/20
to Banana Hackers
According to the code, 'user2root' puts adbd into root mode (so it does the same as rooting apps like Wallace!)
Affe null wrote:
Affe null wrote:
Dana C.
Nov 22, 2020, 4:01:04 PM11/22/20
to comp.mobile.nokia.8110
I'm trying to open the internal-system-engineering-mode activity and I can't get anything to happen. I believe this should open it, right? I made a little webpage based on w2d.bananahackers.net to test this out, and I can get the developer menu to open, the testbox app to open, but not the rootUserMode.html.
button:
<button id="internal-eng-mode">Launch engmode app</button>
script:
document.getElementById('internal-eng-mode').addEventListener('click', function(e) {
if(window.MozActivity) {
var act = new MozActivity({
name: 'internal-system-engineering-mode'
})
}
else {
window.alert('Please open the page from the device itself!')
}
}, false)
I'm pretty sure I have that right, but I can't get anything to happen. internal-system-engineering-mode is in the list of activities in the manifest.webapp file:
"activities":{"testbox":{"disposition":"window","returnValue":false},"internal-system-engineering-mode":{"disposition":"window","returnValue":false,"href":"/rootUserMode.html"}}
I'm not sure what's going wrong here!
Kelly Miller
Nov 22, 2020, 11:24:28 PM11/22/20
to Dana C., comp.mobile.nokia.8110
DAMN. i got a nokia 800 tough that i'm using as a "secure" hotspot to take the attack surface away from my iPhone's antennae. so should I just remove all of those apps? I kind of like having a filemanager and contacts but they should go for the greater good right? Contacts is what I want to keep more. Thanks heaps to everyone who contributed to this very valuable thread!
To view this discussion on the web visit https://groups.google.com/d/msgid/bananahackers/b27d3a78-2beb-4f68-bd54-ac94312ba213n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages