Shulou(Shulou.com)06/01 Report--

This article mainly explains "what is the root principle of Android". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the root principle of Android"?

0x00 about root

Linux and Unix-like systems were originally designed for multi-user operating systems, and the management of user rights is very strict, while the root user (superuser) is the only administrator of the whole system, with all rights equivalent to the operating system. So once you get the root permission, you can access and modify the whole system. After obtaining root permission under Android, you can customize your own system, uninstall some pre-installed software, and take complete control of your own devices.

0x01 setUID

Before discussing the principles of root, there is a very important concept, which is the setUID permission of files. Linux ordinary file permissions are very clear, readable, writable, executable, the following picture is very clear of a common executable file root permissions, r (readable), w (writable), x (executable).

However, consider a situation where, for example, a user has the right to change his password, but the file / etc/shadow that records the password is writable only by root users, so how can ordinary users change their passwords? All this is due to the setting of setUID. The command passwd used when changing the password is / usr/bin/passwd.

You can see that in the permission bit of the binary file of passwd, there is not only rwx, but also an s permission, and this s permission is our protagonist, setUID permission.

Because passwd has setUID permission, the linux system can temporarily assign the root role of this file to ordinary users, so that ordinary users can change their passwords.

So how to set setUID permissions?

The commonly used normal file permission bits are composed of 9 binary digits of 3, 3 and 3, corresponding to file owner, file owner, same user group permission and other user rights, respectively. The original executable file named root has the permission of rwxrwxr-x, the corresponding binary bit is 111111101, and then every three bits of 421 is converted to hexadecimal, which is 775. In the new setUID permission, three new digits have been added, which represent setGID, setUID and stick bit permissions respectively, but now we are only concerned about setUID permissions. Therefore, with the addition of setUID permissions, the permissions of the file should be composed of four digits, for example, the previous root file plus setUID permission is 4755. The permission bit corresponding to the passwd file that changes the password is 4755.

You can intuitively feel through a small example that the binaries corresponding to the commonly used cat command do not have setUID permission:

You can try to use cat to read the contents of the / etc/shadow file under the average user:

If the permission is not enough, add the setUID permission to cat and then read the contents of / etc/shadow:

It's readable, but everything in / etc/shadow is encrypted.

Root under 0x02 Linux

For the usual linux distribution, when you need to switch to a root user, use the su command directly, and then enter the password of the su user to switch to the root user.

Root of 0x03 Android

However, there are no su binaries on non-root Android devices, and executing the su command directly prompts "su not found".

If you go to the device that has already been root, you can see that the binary files corresponding to the commands used in adb shell are all in the / system/bin directory, and the su file exists:

You can see that the su here is just a link to / system/xbin/.

You can see that the su here has a setUID limit.

To add a file to the system partition / system/xbin itself requires root permission, and setting the owner of the su file to the root user also requires root permission, and setting setUID permission also requires root permission.

This enters an endless cycle. To take advantage of su, you must first have root permission. Therefore, you need to take advantage of the vulnerability of Android. There are many native processes running with root permissions in the Android system. If there are vulnerabilities that can be exploited in these root processes, you can take advantage of the root identity of the process:

Copy the su file to the / system/xbin system partition; set the owner of the su file to the root user; set the setUID permission of the su file to facilitate your own process to execute the su command to obtain the root permission. At this point, I believe you have a deeper understanding of "what is the root principle of Android". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.