Vedant Misra



Rooting Android

Android was rooted quite a while ago by a hacker who posts at c-skills.blogspot.com.  

Like many others, I tried out the exploit he installed to see if I could make my phone more interesting (this is something it's now okay to admit to).  This got me wondering about whether the exploit for Android is generalizable---is there any way it can be applied to Linux generally?

Short answer: no.

Rage Against the Cage (RAtC) exploits the fact that the Android Debug Bridge daemon (adb) on Android devices starts as root by default, and calls setuid to drop its privileges to those of a shell account.

The ADB daemon is what runs on Android phones to enable Android software developers to communicate with the phones they're testing their software on.  This kind of issue doesn't exist in Linux in general, so the exploit probably can't be generalized.  

Nonetheless, here is some more detail on how RAtC works: In Linux, a system-wide resource limit, RLIMIT_NPROC, defines the maximum number of simultaneous processes allowed by the system (Android, in this case). RAtC checks this limit, and spawns processes that do nothing until Android's limit is reached. This is called a fork bomb.

With the number of processes maxed out, RAtC kills the running adb process on the phone. The process that starts adb when the phone is turned on tries to ensure that adb is always running, so it restarts adb.  There's a race condition for that parent process to overcome here, because the adb process must be spawned while RLIMIT_NPROC is already nearly maxed out. Adb restarts by default as root, which it needs to do so that developers can properly debug their software. It then quickly checks if it does indeed need to keep running as root, or if it can downgrade its privileges because root access isn't necessary.

The former is only true when Android is running in a sandboxed emulator on a developer's computer or if the Android build is a debugging version, so it tries to drop its privileges using setuid. But RAtC's fork bomb has already maxed out the number of processes already running, so the call to setuid fails, and adb keeps running as root. With adb running as root, we can do whatever we want on the device. This is also a post on Quora.