My intention is not to offend the author by the way :). It is to remind people to understand these kind of scripts and their risks before you run them.
Do you think I should host the file somewhere I trust, and make it check the hash of the downloaded file from a different to ensure it isn't compromised? My worry then is, what if the hash was compromised too?
I appreciate your response. Thanks!
You might not know but there are probably quite a few who do analyse these things and would "blow the whistle" if they found something amiss.
Thus, if you're really unsure you can wait a short while before using it, to see others' experiences first. In general, the same principle goes for warez and any other unofficial, reputation-driven community where there is no central authority.
If you wanted to be absolutely "safe" you would not be wanting to root anyway... it's risky and I'd say that's even part of the fun for those who do.
I think there is no real answer here. Warn them, and warn them often might be the mitigation.
That should do the job.
More good reads on why you don't want to do this:
I didn't write this exploit, I just wrote this script that automates the exploit. The repository with the actual exploit is here https://goo.gl/f8HdO7, and the script to automate it is here https://goo.gl/r2dFia .
I think this would be a "temporary root", rather than something like CF-AutoRoot that gains persistence by modifying the system itself.
The ironic part is that since DirtyCOW is a kernel bug they could probably modify the exploit to disable SELinux from inside the kernel (or load a module that disables SELinux). But they're just trying to use the PoC as the only thing you can get from the exploit.
I suspect you got much the same back in the microcomputer era. Just look at the various phreaker stuff salvaged from BBSs.
What's the difference between "I can become the root user on my phone whenever I want" and "My phone is rooted"?
Note: I'm asking as a GNU/Linux user, not as a phone user.
Apparently SETUID is disabled on Android:
... using kernel features that help block privilege escalation (e.g. NOSUID, NO_NEW_PRIVS).
What are these different "methods" listed in the table here?
Can one of those methods allow me to write to some file in /etc? (Which is enough to grant me the access I want, unless selinux is just MAGIC.)
You would need to be able to `setenforce 0 `. A properly configured SELinux context can prevent you from doing that however we are starting to finally see some reports of dirtyc0w successfuly leading to `SELinux status: permissive` and permanent root.
Do I understand correctly that vulnerabilities like this one mean I do not have any protection when I install an App on my phone? I mean the Android permissions system is useless, when any App can just use an exploit to get root isn't it?
Sorry for the beginner question, I am just hoping I am missing something.
They’re basically useless – they run them on actual devices, and if you use network access you are run through a VPN to ensure you don’t notice you’re running on Google devices from the IP, but it’s still easy to change the functionality depending on if you run on their servers or not.
It’s the old sandbox issue – they can’t statically analyze everything the program might do, and you can always find out if you’re in a sandbox one way or another.
Android antivirus scanners are even worse, though – AVG actually runs them in an emulator that reports itself as Nexus 4 on Marshmallow running on armv7 but is only able to load x86_64 libraries, and they allow network access without any proxying, so you see some AVG IP connect to your servers repeatedly.
(I had a bug in one of my apps that only manifested itself when running in such a sandbox, and which would be reported to my crash reporting service, which gave me a lot of insight into this)
i trust apps i install from f-droid more than the playstore.
The angry mob would probably bury them alive...
Sure, we can blame carriers, manufacturers and hardware suppliers for having their own policies, but this is the same for your average Windows laptop minus the carriers. Bundled themes and crapware from Sony, Lenovo or Dell never stopped Windows from updating.
Sometimes they do. Samsung was caught adding bloatware that disabled Windows Update: http://arstechnica.com/information-technology/2015/06/samsun...
Hopefully this is where Google's app scanning shines and prevents this exploit from spreading.
Ah well. I shall have to live with an unrooted S5 for now, unless the rowhammer people come up with something.
ChromeOS uses dm-verity to prevent this from being an issue, but I'm not sure Android does -- so you should be able to flip some bits on disk without being noticed !
edit: Correct, I was confusing it with Row Hammer.